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My  Fellow  Americans: 

The  way  business  is  transacted,  government  operates,  and  national  defense  is 
conducted  have  changed.  These  activities  now  rely  on  an  interdependent  network 
of  information  technology  infrastructures  called  cyberspace.  The  National  Strategy 
to  Secure  Cyberspace  provides  a  framework  for  protecting  this  infrastructure  that  is 
essential  to  our  economy,  security,  and  way  of  life. 

In  the  past  few  years,  threats  in  cyberspace  have  risen  dramatically.  The  policy  of 
the  United  States  is  to  protect  against  the  debilitating  disruption  of  the  operation 
of  information  systems  for  critical  infrastructures  and,  thereby,  help  to  protect  the 
people,  economy,  and  national  security  of  the  United  States.  We  must  act  to  reduce 
our  vulnerabilities  to  these  threats  before  they  can  be  exploited  to  damage  the 
cyber  systems  supporting  our  Nation’s  critical  infrastructures  and  ensure  that  such 
disruptions  of  cyberspace  are  infrequent,  of  minimal  duration,  manageable,  and 
cause  the  least  damage  possible. 

Securing  cyberspace  is  an  extraordinarily  difficult  strategic  challenge  that  requires  a 
coordinated  and  focused  effort  from  our  entire  society — the  federal  government, 
state  and  local  governments,  the  private  sector,  and  the  American  people.  To 
engage  Americans  in  securing  cyberspace,  a  draft  version  of  this  strategy  was 
released  for  public  comment,  and  ten  town  hall  meetings  were  held  around  the 
Nation  to  gather  input  on  the  development  of  a  national  strategy.  Thousands  of 
people  and  numerous  organizations  participated  in  these  town  hall  meetings  and 
responded  with  comments.  I  thank  them  all  for  their  continuing  participation. 

The  cornerstone  of  America’s  cyberspace  security  strategy  is  and  will  remain  a 
public-private  partnership.  The  federal  government  invites  the  creation  of,  and 
participation  in,  public-private  partnerships  to  implement  this  strategy.  Only  by 
acting  together  can  we  build  a  more  secure  future  in  cyberspace. 
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Executive  Summary 


0  ur  N  ation's  critical  infrastructures  are 
composed  of  public  and  private  institutions  in 
the  sectors  of  agriculture,  food,  water,  public 
health,  emergency  services,  government,  defense 
industrial  base,  information  and  telecommuni¬ 
cations,  energy,  transportation,  banking  and 
finance,  chemicals  and  hazardous  materials,  and 
postal  and  shipping.  Cyberspace  is  their  nervous 
system— the  control  system  of  our  country. 

C  yberspace  is  composed  of  hundreds  of 
thousands  of  interconnected  computers,  servers, 
routers,  switches,  and  fiber  optic  cables  that 
allow  our  critical  infrastructures  to  work.  T  hus, 
the  healthy  functioning  of  cyberspace  is 
essential  to  our  economy  and  our  national 
security. 


T  his  N  ational  Strategy  to  Secure  Cyberspace  is 
part  of  our  overall  effort  to  protect  the  N  ation. 
It  is  an  implementing  component  of  the 
N  ational  Strategy  for  H  omeland  Security  and  is 
complemented  by  a  National  Strategy  for  the 
Physical  Protection  of  Critical  Infrastructures  and 
Key  Assets.  The  purpose  of  this  document  is  to 
engage  and  empower  A  mericans  to  secure  the 
portions  of  cyberspace  that  they  own,  operate, 
control,  or  with  which  they  interact.  Securing 
cyberspace  is  a  difficult  strategic  challenge  that 
requires  coordinated  and  focused  effort  from 
our  entire  society—  the  federal  government, 
state  and  local  governments,  the  private  sector, 
and  the  A  merican  people. 
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T  he  N  ational  Strategy  to  Secure  Cyberspace 
outlines  an  initial  framework  for  both  organ¬ 
izing  and  prioritizing  efforts.  It  provides 
direction  to  the  federal  government  depart¬ 
ments  and  agencies  that  have  roles  in 
cyberspace  security.  It  also  identifies  steps  that 
state  and  local  governments,  private  companies 
and  organizations,  and  individual  Americans 
can  take  to  improve  our  collective  cybersecurity. 
The  Strategy  highlights  the  role  of  public- 
private  engagement.  T  he  document  provides  a 
framework  for  the  contri  butions  that  we  al  I  can 
make  to  secure  our  parts  of  cyberspace.  T  he 
dynamics  of  cyberspace  will  require  adjustments 
and  amendments  to  the  Strategy  over  time. 

T  he  speed  and  anonymity  of  cyber  attacks 
makes  distinguishing  among  the  actions  of 
terrorists,  criminals,  and  nation  states  difficult,  a 
task  which  often  occurs  only  after  the  fact,  if  at 
all.  T  herefore,  the  N  ational  Strategy  to  Secure 
Cyberspace  helps  reduce  our  N  ation's  vulnera¬ 
bility  to  debilitating  attacks  against  our  critical 
information  infrastructures  or  the  physical 
assets  that  support  them. 

Strategic  Objectives 

C  onsi stent  with  the  N  ational  Strategy  for 
H  omeland  Security,  the  strategic  objectives 
of  this  N  ational  Strategy  to  Secure  Cyberspace 
are  to: 

•  Prevent  cyber  attacks  against  A  merica's 
critical  infrastructures; 

•  Reduce  national  vulnerability  to  cyber 
attacks;  and 

•M  inimize  damage  and  recovery  time  from 
cyber  attacks  that  do  occur. 

Threat  and  Vulnerability 

O  ur  economy  and  national  security  are  fully 
dependent  upon  information  technology  and 
the  information  infrastructure.  At  the  core  of 
the  information  infrastructure  upon  which  we 
depend  is  the  Internet,  a  system  originally 


designed  to  share  unclassified  research  among 
scientists  who  were  assumed  to  be  uninterested 
in  abusing  the  network.  It  is  that  same  Internet 
that  today  connects  millions  of  other  computer 
networks  making  most  of  the  nation's  essential 
services  and  infrastructures  work.  T  hese 
computer  networks  also  control  physical  objects 
such  as  electrical  transformers,  trains,  pipeline 
pumps,  chemical  vats,  radars,  and  stock 
markets,  all  of  which  exist  beyond  cyberspace. 

A  spectrum  of  malicious  actors  can  and  do 
conduct  attacks  against  our  critical  information 
infrastructures.  Of  primary  concern  is  the  threat 
of  organized  cyber  attacks  capable  of  causing 
debilitating  disruption  to  our  Nation's  critical 
infrastructures,  economy,  or  national  security. 
The  required  technical  sophistication  to  carry 
out  such  an  attack  is  high—  and  partially 
explains  the  lack  of  a  debilitating  attack  to  date. 
We  should  not,  however,  be  too  sanguine.  T  here 
have  been  instances  where  organized  attackers 
have  exploited  vulnerabilities  that  may  be 
indicative  of  more  destructive  capabilities. 

Uncertainties  exist  as  to  the  intent  and  full 
technical  capabilities  of  several  observed 
attacks.  E  nhanced  cyber  threat  analysis  is 
needed  to  address  long-term  trends  related  to 
threats  and  vulnerabilities.  W  hat  is  known  is 
that  the  attack  tools  and  methodologies  are 
becoming  widely  available,  and  the  technical 
capability  and  sophistication  of  users  bent  on 
causing  havoc  or  disruption  is  improving. 

I  n  peacetime  A  merica's  enemies  may  conduct 
espionage  on  our  G  overnment,  university 
research  centers,  and  private  companies.  T  hey 
may  also  seek  to  prepare  for  cyber  strikes  during 
a  confrontation  by  mapping  U.S.  information 
systems,  identifying  key  targets,  and  lacing  our 
infrastructure  with  back  doors  and  other  means 
of  access.  I  n  wartime  or  crisis,  adversaries  may 
seek  to  intimidate  the  N  ation's  political  leaders 
by  attacking  critical  infrastructures  and  key 
economic  functions  or  eroding  public  confi¬ 
dence  in  information  systems. 
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C  yber  attacks  on  U  nited  States  information 
networks  can  have  serious  consequences  such  as 
disrupting  critical  operations,  causing  loss  of 
revenue  and  intellectual  property,  or  loss  of  life. 
Countering  such  attacks  requires  the  devel¬ 
opment  of  robust  capabilities  where  they  do  not 
exist  today  if  we  are  to  reduce  vulnerabilities 
and  deter  those  with  the  capabilities  and  intent 
to  harm  our  critical  infrastructures. 

The  Government  Role  in  Securing 
Cyberspace 

I  n  general,  the  private  sector  is  best  equipped 
and  structured  to  respond  to  an  evolving  cyber 
threat.  T  here  are  specific  instances,  however, 
where  federal  government  response  is  most 
appropriate  and  justified.  L  ooking  inward, 
providing  continuity  of  government  requires 
ensuring  the  safety  of  its  own  cyber  infra¬ 
structure  and  those  assets  required  for 
supporting  its  essential  missions  and  services. 

E  xternally,  a  government  role  in  cybersecurity  is 
warranted  in  cases  where  high  transaction  costs 
or  legal  barriers  lead  to  significant  coordination 
problems;  cases  in  which  governments  operate 
in  the  absence  of  private  sector  forces; 
resolution  of  incentive  problems  that  lead  to 
under  provisioning  of  critical  shared  resources; 
and  raising  awareness. 

Public-  private  engagement  is  a  key  component 
of  our  Strategy  to  secure  cyberspace.  T  his  is 
true  for  several  reasons.  Public- private  partner¬ 
ships  can  usefully  confront  coordination 
problems.  T  hey  can  significantly  enhance 
information  exchange  and  cooperation. 

Public- private  engagement  will  take  a  variety 
of  forms  and  will  address  awareness,  training, 
technological  improvements,  vulnerability 
remediation,  and  recovery  operations. 

A  federal  role  in  these  and  other  cases  is  only 
justified  when  the  benefits  of  intervention 
outweigh  the  associated  costs.  This  standard  is 
especially  important  in  cases  where  there  are 
viable  private  sector  solutions  for  addressing  any 
potential  threat  or  vulnerability.  For  each  case, 


consideration  should  be  given  to  the  broad- 
based  costs  and  impacts  of  a  given  government 
action,  versus  other  alternative  actions,  versus 
non-action,  taking  into  account  any  existing  or 
future  private  solutions. 

Federal  actions  to  secure  cyberspace  are 
warranted  for  purposes  including:  forensics  and 
attack  attribution,  protection  of  networks  and 
systems  critical  to  national  security,  indications 
and  warnings,  and  protection  against  organized 
attacks  capable  of  inflicting  debilitating  damage 
to  the  economy.  Federal  activities  should  also 
support  research  and  technology  development 
that  will  enable  the  private  sector  to  better 
secure  privately-owned  portions  of  the  N  ation's 
critical  infrastructure. 

Department  of  Homeland  Security  and 
Cyberspace  Security 

On  November  25,  2002,  President  Bush  signed 
legislation  creating  the  D epartment  of 
H  omeland  Security  (DH  S). This  new  cabinet- 
level  department  will  unite  22  federal  entities 
for  the  common  purpose  of  improving  our 
homeland  security.  T  he  Secretary  of  D  H  S  will 
have  important  responsibilities  in  cyberspace 
security. These  responsibilities  include: 

•  D  eveloping  a  comprehensive  national  plan 
for  securing  the  key  resources  and  critical 
infrastructure  of  the  U  nited  States; 

•  Providing  crisis  management  in  response 
to  attacks  on  critical  information  systems; 

•  Providing  technical  assistance  to  the 
private  sector  and  other  government 
entities  with  respect  to  emergency 
recovery  plans  for  failures  of  critical  infor¬ 
mation  systems; 

•  Coordinating  with  other  agencies  of  the 
federal  government  to  provide  specific 
warning  information  and  advice  about 
appropriate  protective  measures  and 
countermeasures  to  state,  local,  and 
nongovernmental  organizations  including 
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the  private  sector,  academia,  and  the 
public;  and 

•  Performing  and  funding  research  and 
development  along  with  other  agencies 
that  will  lead  to  new  scientific  under¬ 
standing  and  technologies  in  support  of 
homeland  security. 

Consistent  with  these  responsibilities,  D  H  S  will 
become  a  federal  center  of  excellence  for  cyber¬ 
security  and  provide  a  focal  point  for  federal 
outreach  to  state,  local,  and  nongovernmental 
organizations  including  the  private  sector, 
academia,  and  the  public. 

Critical  Priorities  for  Cyberspace 
Security 

T  he  N  ational  Strategy  to  Secure  Cyberspace 
articulates  five  national  priorities  including: 

I.  A  National  Cyberspace  Security 
Response  System; 

II.  A  National  Cyberspace  Security  Threat 
and  Vulnerability  Reduction  Program; 

I I I .  A  N  ational  C  yberspace  Security 
Awareness  and  Training  Program; 

IV.  Securing  Governments' Cyberspace;  and 

V.  National  Security  and  International 
C  yberspace  Security  C  ooperation. 

T  he  first  priority  focuses  on  improving  our 
response  to  cyber  incidents  and  reducing  the 
potential  damage  from  such  events.  T  he  second, 
third,  and  fourth  priorities  aim  to  reduce  threats 
from,  and  our  vulnerabilities  to,  cyber  attacks. 

T  he  fifth  priority  is  to  prevent  cyber  attacks 
that  could  impact  national  security  assets  and  to 
improve  the  international  management  of  and 
response  to  such  attacks. 


Priority  I:  A  National  Cyberspace 
Security  Response  System 

Rapid  identification,  information  exchange,  and 
remediation  can  often  mitigate  the  damage 
caused  by  malicious  cyberspace  activity.  For 
those  activities  to  be  effective  at  a  national  level, 
the  U  nited  States  needs  a  partnership  between 
government  and  industry  to  perform  analyses, 
issue  warnings,  and  coordinate  response  efforts. 
Privacy  and  civil  liberties  must  be  protected  in 
the  process.  Because  no  cybersecurity  plan  can 
be  impervious  to  concerted  and  intelligent 
attack,  information  systems  must  be  able  to 
operate  while  under  attack  and  have  the 
resilience  to  restore  full  operations  quickly. 

T  he  N  ational  Strategy  to  Secure  Cyberspace 
identifies  eight  major  actions  and  initiatives  for 
cyberspace  security  response: 

1.  Establish  a  public- private  architecture  for 
responding  to  national- level  cyber 
incidents; 

2.  Provide  for  the  development  of  tactical 
and  strategic  analysis  of  cyber  attacks  and 
vulnerability  assessments; 

3.  E  ncourage  the  development  of  a  private 
sector  capability  to  share  a  synoptic  view 
of  the  health  of  cyberspace; 

4.  E  xpand  the  C  yber  W arning  and 

I  nformation  N  etwork  to  support  the  role 
of  D  H  S  in  coordinating  crisis 
management  for  cyberspace  security; 

5. 1  mprove  national  incident  management; 

6.  C  oordinate  processes  for  voluntary 
participation  in  the  development  of 
national  public- private  continuity  and 
contingency  plans; 

7.  E  xercise  cybersecurity  continuity  plans 
for  federal  systems;  and 


8. 1  mprove  and  enhance  public- private 
information  sharing  involving  cyber 
attacks,  threats,  and  vulnerabilities. 
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Priority  II:  A  National  Cyberspace 
Security  Threat  and  Vulnerability 
Reduction  Program 

By  exploiting  vulnerabilities  in  our  cyber 
systems,  an  organized  attack  may  endanger  the 
security  of  our  N  ation's  critical  infrastructures. 

T  he  vulnerabilities  that  most  threaten  cyber¬ 
space  occur  in  the  information  assets  of  critical 
infrastructure  enterprises  themselves  and  their 
external  supporting  structures,  such  as  the 
mechanisms  of  the  I  nternet.  L  esser-secured 
sites  on  the  interconnected  network  of  networks 
also  present  potentially  significant  exposures  to 
cyber  attacks.  Vulnerabilities  result  from 
weaknesses  in  technology  and  because  of 
improper  implementation  and  oversight  of 
technological  products. 

T  he  N  ational  Strategy  to  Secure  Cyberspace 
identifies  eight  major  actions  and  initiatives  to 
reduce  threats  and  related  vulnerabilities: 


1.  E  nhance  law  enforcement's  capabilities 
for  preventing  and  prosecuting  cyber¬ 
space  attacks; 

2.  C  reate  a  process  for  national  vulnerability 
assessments  to  better  understand  the 
potential  consequences  of  threats  and 
vulnerabilities; 

3.  Secure  the  mechanisms  of  the  I  nternet  by 
improving  protocols  and  routing; 

4.  Foster  the  use  of  trusted  digital  control 
systems/supervisory  control  and  data 
acquisition  systems; 

5.  Reduce  and  remediate  software  vulnera¬ 
bilities; 

6.  U  nderstand  infrastructure  interdepen¬ 
dencies  and  improve  the  physical  security 
of  cyber  systems  and  telecommunications; 

7.  Prioritize  federal  cybersecurity  research 
and  development  agendas;  and 

8.  A  ssess  and  secure  emerging  systems. 

Priority  III:  A  National  Cyberspace 
Security  Awareness  and  Training 
Program 

M  any  cyber  vulnerabilities  exist  because  of  a 
lack  of  cybersecurity  awareness  on  the  part  of 
computer  users,  systems  administrators, 
technology  developers,  procurement  officials, 
auditors,  chief  information  officers  (Cl  Os), 
chief  executive  officers,  and  corporate  boards. 
Such  awareness- based  vulnerabilities  present 
serious  risks  to  critical  infrastructures  regardless 
of  whether  they  exist  within  the  infrastructure 
itself.  A  lack  of  trained  personnel  and  the 
absence  of  widely  accepted,  multi-level 
certification  programs  for  cybersecurity 
professionals  complicate  the  task  of  addressing 
cyber  vulnerabilities. 
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T  he  N  ational  Strategy  to  Secure  Cyberspace 
identifies  four  major  actions  and  initiatives  for 
awareness,  education,  and  training: 

1.  Promote  a  comprehensive  national 
awareness  program  to  empower  all 
A  mericans—  businesses,  the  general 
workforce,  and  the  general  population — 
to  secure  their  own  parts  of  cyberspace; 

2.  Foster  adequate  training  and  education 
programs  to  support  the  N  ation's  cyberse¬ 
curity  needs; 

3. 1  ncrease  the  efficiency  of  existing  federal 
cybersecurity  training  programs;  and 

4.  Promote  private- sector  support  for 
well-coordinated,  widely  recognized 
professional  cybersecurity  certifications. 

Priority  IV:  Securing  Governments' 
Cyberspace 

Although  governments  administer  only  a 
minority  of  the  N  ation's  critical  infrastructure 
computer  systems,  governments  at  all  levels 
perform  essential  services  in  the  agriculture, 
food,  water,  public  health,  emergency  services, 
defense,  social  welfare,  information  and 
telecommunications,  energy,  transportation, 
banking  and  finance,  chemicals,  and  postal  and 
shipping  sectors  that  depend  upon  cyberspace 
for  their  delivery.  G  overnments  can  lead  by 
example  in  cyberspace  security,  including 
fostering  a  marketplace  for  more  secure 
technologies  through  their  procurement. 

T  he  N  ational  Strategy  to  Secure  Cyberspace 
identifies  five  major  actions  and  initiatives  for 
the  securing  of  governments'  cyberspace: 

1.  C  ontinuously  assess  threats  and  vulnera¬ 
bilities  to  federal  cyber  systems; 

2.  Authenticate  and  maintain  authorized 
users  of  federal  cyber  systems; 

3.  Secure  federal  wireless  local  area 
networks; 


4. 1  mprove  security  in  government 
outsourcing  and  procurement;  and 

5.  E  ncourage  state  and  local  governments  to 
consider  establishing  information 
technology  security  programs  and  partic¬ 
ipate  in  information  sharing  and  analysis 
centers  with  similar  governments. 

Priority  V:  National  Security  and 
International  Cyberspace  Security 
Cooperation 

A  merica's  cyberspace  links  the  U  nited  States  to 
the  rest  of  the  world.  A  network  of  networks 
spans  the  planet,  allowing  malicious  actors  on 
one  continent  to  act  on  systems  thousands  of 
miles  away.  C  yber  attacks  cross  borders  at  light 
speed,  and  discerning  the  source  of  malicious 
activity  is  difficult.  A  merica  must  be  capable  of 
safeguarding  and  defending  its  critical  systems 
and  networks.  E  nabling  our  ability  to  do  so 
requires  a  system  of  international  cooperation  to 
facilitate  information  sharing,  reduce  vulnerabil¬ 
ities,  and  deter  malicious  actors. 

T  he  N  ational  Strategy  to  Secure  Cyberspace 
identifies  six  major  actions  and  initiatives  to 
strengthen  U.S.  national  security  and  interna¬ 
tional  cooperation: 

1.  Strengthen  cyber-related  counterintelli¬ 
gence  efforts; 

2. 1  mprove  capabilities  for  attack  attribution 
and  response; 

3. 1  mprove  coordination  for  responding  to 
cyber  attacks  within  the  U.S.  national 
security  community; 

4.  Work  with  industry  and  through  interna¬ 
tional  organizations  to  facilitate  dialogue 
and  partnerships  among  international 
public  and  private  sectors  focused  on 
protecting  information  infrastructures 
and  promoting  a  global  "culture  of 
security;" 


xii  THE  NATIONAL  STRATEGY  TO  SECURE  CYBERSPACE 


EXECUTIVE  SUMMARY 


5.  Foster  the  establishment  of  national  and 
international  watch-and-warning 
networks  to  detect  and  prevent  cyber 
attacks  as  they  emerge;  and 

6.  E  ncourage  other  nations  to  accede  to  the 
C  ouncil  of  E  urope  C  onvention  on 

C  ybercrime,  or  to  ensure  that  their  laws 
and  procedures  are  at  least  as  compre¬ 
hensive. 

A  National  Effort 

Protecting  the  widely  distributed  assets  of 
cyberspace  requires  the  efforts  of  many 
A  mericans.  T  he  federal  government  alone 
cannot  sufficiently  defend  A  merica's  cyberspace. 
0  ur  traditions  of  federalism  and  limited 
government  require  that  organizations  outside 
the  federal  government  take  the  lead  in  many  of 
these  efforts.  E  very  A  merican  who  can 
contribute  to  securing  part  of  cyberspace  is 
encouraged  to  do  so.  T  he  federal  government 
invites  the  creation  of,  and  participation  in, 
public-  private  partnerships  to  raise  cyberse¬ 
curity  awareness,  train  personnel,  stimulate 
market  forces,  improve  technology,  identify  and 
remediate  vulnerabilities,  exchange  information, 
and  plan  recovery  operations. 

People  and  organizations  across  the  U  nited 
States  have  already  taken  steps  to  improve 
cyberspace  security.  0  n  September  18,  2002, 
many  private- sector  entities  released  plans  and 
strategies  for  securing  their  respective  infra¬ 
structures.  T  he  Partnership  for  C  ritical 
I  nfrastructure  Security  has  played  a  unique  role 
in  facilitating  private- sector  contributions  to 


this  Strategy.  I  nputs  from  the  critical  sector's 
themselves  can  be  found  at 
http://www.pcis.org,  (T  hese  documents 
were  not  subject  to  government  approval.) 

T  hese  comprehensive  infrastructure  plans 
describe  the  strategic  initiatives  of  various 
sectors,  including: 

•  Banking  and  Finance; 

•  Insurance; 

•  Chemical; 

•  0  i  I  and  G  as; 

•  E  lectric; 

•  L  aw  E  nforcement; 

•  FI  igher  Education; 

•Transportation  (Rail); 

•  I  nformation  T  echnology  and 
Telecommunications;  and 

•  W  ater. 

A  s  each  of  the  critical  infrastructure  sectors 
implements  these  initiatives,  threats  and  vulner¬ 
abilities  to  our  infrastructures  will  be  reduced. 

For  the  foreseeable  future  two  things  will  be 
true:  A  merica  will  rely  upon  cyberspace  and  the 
federal  government  will  seek  a  continuing  broad 
partnership  with  the  private  sector  to  develop, 
implement,  and  refine  a  N  ational  Strategy  to 
Secure  Cyberspace. 
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A  Nation  in  Cyberspace 

0  ur  N  ation's  critical  infrastructures  consist  of 
the  physical  and  cyber  assets  of  public  and 
private  institutions  in  several  sectors: 
agriculture,  food,  water,  public  health, 
emergency  services,  government,  defense  indus¬ 
trial  base,  information  and  telecommunications, 
energy,  transportation,  banking  and  finance, 
chemicals  and  hazardous  materials,  and  postal 
and  shipping.  Cyberspace  is  the  nervous  system 
of  these  infrastructures— the  control  system  of 
our  country.  C  yberspace  comprises  hundreds  of 
thousands  of  interconnected  computers,  servers, 
routers,  switches,  and  fiber  optic  cables  that 
make  our  critical  infrastructures  work.  T  hus,  the 
healthy  functioning  of  cyberspace  is  essential  to 


our  economy  and  our  national  security. 

U  nfortunately,  recent  events  have  highlighted 
the  existence  of  cyberspace  vulnerabilities  and 
the  fact  that  malicious  actors  seek  to  exploit 
them.  (See,  CyberspaceThreatsand 
Vulnerabilities.) 

T  his  N  ational  Strategy  to  Secure  Cyberspace  is 
part  of  an  overall  effort  to  protect  the  N  ation.  It 
is  an  implementing  component  of  the  National 
Strategy  for  H  omeland  Security  and  is  comple¬ 
mented  by  the  N  ational  Strategy  for  thePhysical 
Protection  of  Critical  Infrastructures  and  Key 
Assets.  T  he  purpose  of  this  document  is  to 
engage  and  empower  A  mericans  to  secure  the 
portions  of  cyberspace  that  they  own,  operate, 
or  control,  or  with  which  they  interact.  Securing 
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cyberspace  is  a  difficult  strategic  challenge  that 
requires  coordinated  and  focused  effort  from 
our  entire  society—  the  federal  government, 
state  and  local  governments,  the  private  sector, 
and  the  A  merican  people. 

A  Unique  Problem,  a  Unique  Process 

M  ost  critical  infrastructures,  and  the  cyberspace 
on  which  they  rely,  are  privately  owned  and 
operated.  T  he  technologies  that  create  and 
support  cyberspace  evolve  rapidly  from  private- 
sector  and  academic  innovation.  G  overnment 
alone  cannot  sufficiently  secure  cyberspace. 
Thus,  President  Bush  has  called  for  voluntary 
partnerships  among  government,  industry, 
academia,  and  nongovernmental  groups  to 
secure  and  defend  cyberspace.  (See,  N  ational 
Policy  and  Guiding  Principles.) 

In  recognition  of  this  need  for  partnership,  the 
process  to  develop  the  N  ational  Strategy  to 
Secure  Cyberspace  included  soliciting  views  from 
both  the  public  and  private  sectors.  To  do  so, 
theW  hite  H  ouse  sponsored  town  hall  meetings 
on  cyberspace  security  in  ten  metropolitan 
areas.  Consequently,  individual  sectors  (e.g., 
higher  education,  state  and  local  government, 
banking  and  finance)  formed  workgroups  to 
create  initial  sector- specific  cyberspace  security 
strategies.  Additionally,  the  W  hite  H  ouse 
created  a  Presidential  advisory  panel,  the 
N  ational  I  nfrastructure  A dvisory  C ouncil, 
consisting  of  leaders  from  the  key  sectors  of  the 
economy,  government,  and  academia.  T  he 
President's  N  ational  Security 
T elecommunications  A  dvisory  C  ommittee 
reviewed  and  commented  on  the  Strategy. 

In  September  2002,  the  President's  Critical 
Infrastructure  Protection  Board  sought 
comments  from  individuals  and  institutions 
nationwide  by  placing  a  draft  version  of  the 
Strategy  online  for  review.  T  housands  partici¬ 
pated  in  the  town  hall  meetings  and  provided 
comments  online.  T  heir  comments  contributed 
to  shaping  the  Strategy  by  narrowing  its  focus 
and  sharpening  its  priorities. 


T  his  process  recognizes  that  we  can  only  secure 
cyberspace  successfully  through  an  inclusive 
national  effort  that  engages  major  institutions 
throughout  the  country.  T  he  federal 
government  designed  the  Strategy  development 
process  to  raise  the  N  ation's  level  of  awareness 
of  the  importance  of  cybersecurity.  Its  intent 
was  to  produce  a  Strategy  that  many  A  mericans 
could  feel  they  had  a  direct  role  in  developing, 
and  to  which  they  would  be  committed. 

A  Ithough  the  redrafting  process  reflects  many 
of  the  comments  provided,  not  everyone  will 
agree  with  each  component  of  the  N  ational 
Strategy  to  Secure  Cyberspace.  M  any  issues  could 
not  be  addressed  in  detail,  and  others  are  not 
yet  ripe  for  national  policy.  T  he  Strategy  is  not 
immutable;  actions  will  evolve  as  technologies 
advance,  as  threats  and  vulnerabilities  change, 
and  as  our  understanding  of  the  cybersecurity 
issues  improves  and  clarifies.  A  national 
dialogue  on  cyberspace  security  must  therefore 
continue. 

In  the  weeks  following  the  release  of  the  draft 
Strategy,  C  ongress  approved  the  creation  of  the 
D  epartment  of  H  omeland  Security  (D  H  S), 
assigned  to  it  many  agencies  that  are  active  in 
cybersecurity,  and  directed  it  to  perform  new 
cybersecurity  missions.  T  his  Strategy  reflects 
those  changes.  Congress  passed  and  the 
President  signed  the  Cyber  Security  Research  and 
Development  Act  (Public  Law  107-305),  author¬ 
izing  a  multi-year  effort  to  create  more  secure 
cyber  technologies,  to  expand  cybersecurity 
research  and  development,  and  to  improve  the 
cybersecurity  workforce. 

Five  National  Cyberspace  Security 
Priorities 

T  he  N  ational  Strategy  to  Secure  Cyberspace  is  a 
call  for  national  awareness  and  action  by 
individuals  and  institutions  throughout  the 
U  nited  States,  to  increase  the  level  of  cyberse¬ 
curity  nationwide  and  to  implement  continuous 
processes  for  identifying  and  remedying  cyber 
vulnerabilities.  Its  framework  is  an  agenda  of 
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five  broad  priorities  that  require  widespread 
voluntary  participation.  Each  individual 
program  consists  of  several  components,  many 
of  which  were  drawn  from  the  draft  Strategy's 
recommendations  and  related  public  comments. 

Addressing  these  priorities  requires  the 
leadership  of  D  H  S  as  well  as  several  other  key 
federal  departments  and  agencies.  A  s  part  of 
the  0  ffice  of  M  anagement  and  B  udget 
(0  MB)- led  budget  process,  and  with  the 
support  of  Congress,  these  departments  and 
agencies  now  have  the  task  of  translating  the 
Strategy's  recommendations  into  actions. 

Corporations,  universities,  state  and  local 
governments,  and  other  partners  are  also 
encouraged  to  take  actions  consistent  with  these 
five  national  cyberspace  security  priorities,  both 
independently  and  in  partnership  with  the 
federal  government.  Each  private- sector  organi¬ 
zation  must  make  its  own  decisions  based  on 
cost  effectiveness  analysis  and  risk- management 
and  mitigation  strategies. 

T  he  N  ational  Strategy  to  Secure  Cyberspace  artic¬ 
ulates  five  national  priorities.  The  first  priority 
focuses  on  improving  our  ability  to  respond  to 
cyber  incidents  and  reduce  the  potential 
damage  from  such  events.  T  he  second,  third, 
and  fourth  priorities  aim  to  reduce  the  numbers 
of  cyber  threats  and  our  overall  vulnerability  to 
cyber  attacks.  T  he  fifth  priority  focuses  on 
preventing  cyber  attacks  with  the  potential  to 
impact  national  security  assets  and  improving 
international  management  of  and  response  to 
such  attacks. 

Priority  I:  A  National  Cyberspace 
Security  Response  System 

Rapid  identification,  information  exchange,  and 
remediation  can  often  mitigate  the  damage 
caused  by  malicious  cyberspace  activity.  For 
those  activities  to  take  place  effectively  at  a 
national  level,  the  U  nited  States  requires  a 
partnership  between  government  and  industry 
to  perform  analyses,  issue  warnings,  and 


coordinate  response  efforts.  Privacy  and  civil 
liberties  must  be  protected  in  the  process. 
Because  no  cybersecurity  plan  can  be  imper¬ 
vious  to  concerted  and  intelligent  attacks, 
information  systems  must  be  able  to  operate 
while  under  attack  and  also  have  the  resilience 
to  restore  full  operations  in  their  wake.  To 
prepare  for  the  possibility  of  major  cyber 
attacks,  America  needs  a  national  cyber  disaster 
recovery  plan.  T  he  N  ational  C  yberspace 
Security  Response  System  will  involve  public 
and  private  institutions  and  cyber  centers  to 
perform  analysis,  conduct  watch  and  warning 
activities,  enable  information  exchange,  and 
facilitate  restoration  efforts. 

Priority  II:  A  National  Cyberspace 
Security  Threat  and  Vulnerability 
Reduction  Program 

By  exploiting  vulnerabilities  in  our  cyber 
systems,  an  organized  cyber  attack  may 
endanger  the  security  of  our  N  ation's  critical 
infrastructures.  C  yberspace  vulnerabilities  occur 
in  the  critical  infrastructure  enterprises  and 
government  departments  themselves,  in  their 
external  supporting  structures  (such  as  the 
mechanisms  of  the  Internet),  and  in  unsecured 
sites  across  the  interconnected  network  of 
networks.  Vulnerabilities  exist  for  several 
reasons  including  technological  weaknesses, 
poor  security- control  implementation,  and 
absences  of  effective  oversight. 

A  N  ational  Cyberspace  Security  Threat  and 
Vulnerability  reduction  program  will  include 
coordinated  national  efforts  conducted  by 
governments  and  the  private  sector  to  identify 
and  remediate  the  most  serious  cyber  vulnera¬ 
bilities  through  collaborative  activities,  such  as 
sharing  best  practices  and  evaluating  and  imple¬ 
menting  new  technologies.  Additional  program 
components  will  include  raising  cybersecurity 
awareness,  increasing  criminal  justice  activities, 
and  developing  national  security  programs  to 
deter  future  cyber  threats. 


THE  NATIONAL  STRATEGY  TO  SECURE  CYBERSPACE  3 


INTRODUCTION 


Priority  III:  A  National  Cyberspace 
Security  Awareness  and  Training 
Program 

M  any  information- system  vulnerabilities  exist 
because  of  a  lack  of  cyberspace  security 
awareness  on  the  part  of  computer  users, 
systems  administrators,  technology  developers, 
procurement  officials,  auditors,  chief  infor¬ 
mation  officers,  chief  executive  officers,  and 
corporate  boards.  T  hese  vulnerabilities  can 
present  serious  risks  to  the  infrastructures  even 
if  they  are  not  actually  part  of  the  infrastructure 
itself.  A  lack  of  trained  personnel  and  the 
absence  of  widely  accepted,  multi-level  certifi¬ 
cations  for  personnel  further  complicate  the 
task  of  reducing  vulnerabilities. 

The  N  ational  Cyberspace  Security  Awareness 
and  T raining  Program  will  raise  cybersecurity 
awareness  in  companies,  government  agencies, 
universities,  and  among  the  N  ation's  computer 
users.  It  will  further  address  shortfalls  in  the 
numbers  of  trained  and  certified  cybersecurity 
personnel. 

Priority  IV:  Securing  Governments' 
Cyberspace 

Although  governments  administer  only  a 
minority  of  the  N  ation's  critical  infrastructure 
computer  systems,  governments  at  all  levels 
perform  essential  services  that  rely  on  each  of 
the  critical  infrastructure  sectors,  which  are 
agriculture,  food,  water,  public  health, 
emergency  services,  government,  defense  indus¬ 
trial  base,  information  and  telecommunications, 
energy,  transportation,  banking  and  finance, 
chemicals  and  hazardous  materials,  and  postal 
and  shipping.  W  ith  respect  to  investment  in 
cyberspace  security,  government  can  lead  by 


example  by  fostering  a  marketplace  for  more 
secure  technologies  through  large  procurements 
of  advanced  information  assurance  technologies. 
A  program  to  implement  such  products  will 
help  to  ensure  that  federal  computer  systems 
and  networks  are  secure.  T  he  federal 
government  will  also  assist  state  and  local 
governments  with  cybersecurity  awareness, 
training,  and  information  exchange. 

Priority  V:  National  Security  and 
International  Cyberspace  Security 
Cooperation 

A  merica's  cyberspace  links  the  U  nited  States  to 
the  rest  of  the  world.  A  network  of  networks 
spans  the  planet,  allowing  malicious  actors  on 
one  continent  to  act  on  systems  thousands  of 
miles  away.  C  yber  attacks  cross  borders  at  light 
speed,  and  discerning  the  source  of  malicious 
activity  is  difficult.  A  merica  must  be  capable  of 
safeguarding  and  defending  its  critical  systems 
and  networks—  regardless  of  where  an  attack 
originates.  Facilitating  our  ability  to  do  so 
requires  a  system  of  international  cooperation  to 
enable  the  information  sharing,  reduce  vulnera¬ 
bilities,  and  deter  malicious  actors. 

Actions  and  Recommendations 

T  he  Strategy  highlights  actions  that  the  federal 
government  will  take  and  makes  recommenda¬ 
tions  to  our  partners  in  nongovernmental 
organizations.  T  he  actions  and  recommenda¬ 
tions  (A/R)  are  italicized  throughout  the 
Strategy  and  numbered  according  to  the 
associated  priority.  For  example  A/R  1-1  is  the 
first  action  or  recommendation  in  Priority  I . 

A  ppendix  A  provides  a  summary  of  all  of  the 
A /Rs  proposed. 
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Cyberspace  Threats 

A  Case  for  Action 

T  he  terrorist  attacks  against  the  U  nited  States 
that  took  place  on  September  11,  2001,  had  a 
profound  impact  on  our  N  ation.  T  he  federal 
government  and  society  as  a  whole  have  been 
forced  to  reexamine  conceptions  of  security  on 
our  home  soil,  with  many  understanding  only 
for  the  first  time  the  lengths  to  which  self- 
designated  enemies  of  our  country  are  willing  to 
go  to  inflict  debilitating  damage. 

We  must  move  forward  with  the  understanding 
that  there  are  enemies  who  seek  to  inflict 
damage  on  our  way  of  life.  T  hey  are  ready  to 
attack  us  on  our  own  soil,  and  they  have  shown 
a  willingness  to  use  unconventional  means  to 
execute  those  attacks.  W  hile  the  attacks  of 


and  Vulnerabilities 


September  11  were  physical  attacks,  we  are 
facing  increasing  threats  from  hostile  adver¬ 
saries  in  the  realm  of  cyberspace  as  well. 

A  Nation  Now  Fully  Dependent  on 
Cyberspace 

For  the  U  nited  States,  the  information 
technology  revolution  quietly  changed  the  way 
business  and  government  operate.  W  ithout  a 
great  deal  of  thought  about  security,  the  N  ation 
shifted  the  control  of  essential  processes  in 
manufacturing,  utilities,  banking,  and  commu¬ 
nications  to  networked  computers.  Asa  result, 
the  cost  of  doing  business  dropped  and 
productivity  skyrocketed.  T  he  trend  toward 
greater  use  of  networked  systems  continues. 
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By  2003,  our  economy  and  national  security 
became  fully  dependent  upon  information 
technology  and  the  information  infrastructure. 

A  network  of  networks  directly  supports  the 
operation  of  all  sectors  of  our  economy—  energy 
(electric  power,  oil  and  gas),  transportation  (rail, 
air,  merchant  marine),  finance  and  banking, 
information  and  telecommunications,  public 
health,  emergency  services,  water,  chemical, 
defense  industrial  base,  food,  agriculture,  and 
postal  and  shipping.  T  he  reach  of  these 
computer  networks  exceeds  the  bounds  of 
cyberspace.  T  hey  also  control  physical  objects 
such  as  electrical  transformers,  trains,  pipeline 
pumps,  chemical  vats,  and  radars. 

Threats  in  Cyberspace 

A  spectrum  of  malicious  actors  can  and  do 
conduct  attacks  against  our  critical  information 
infrastructures.  Of  primary  concern  is  the  threat 
of  organized  cyber  attacks  capable  of  causing 
debilitating  disruption  to  our  Nation's  critical 
infrastructures,  economy,  or  national  security. 
The  required  technical  sophistication  to  carry 
out  such  an  attack  is  high—  and  partially 
explains  the  lack  of  a  debilitating  attack  to  date. 
We  should  not,  however,  be  too  sanguine.  T  here 
have  been  instances  where  attackers  have 
exploited  vulnerabilities  that  may  be  indicative 
of  more  destructive  capabilities. 

U  ncertainties  exist  as  to  the  intent  and  full 
technical  capabilities  of  several  observed 
attacks.  E  nhanced  cyber  threat  analysis  is 
needed  to  address  long-term  trends  related  to 
threats  and  vulnerabilities.  W  hat  is  known  is 
that  the  attack  tools  and  methodologies  are 
becoming  widely  available,  and  the  technical 
capability  and  sophistication  of  users  bent  on 
causing  havoc  or  disruption  is  improving. 

As  an  example,  consider  the"N  I M  DA” 

("A  D  M  I N "  spelled  backwards)  attack.  D espite 
the  fact  that  N I M  D  A  did  not  create  a 
catastrophic  disruption  to  the  critical  infra¬ 
structure,  it  is  a  good  example  of  the  increased 
technical  sophistication  showing  up  in  cyber 


attacks.  It  demonstrated  that  the  arsenal  of 
weapons  available  to  organized  attackers  now 
contains  the  capability  to  learn  and  adapt  to  its 
local  environment.  N I M  D  A  was  an  automated 
cyber  attack,  a  blend  of  a  computer  worm  and  a 
computer  virus.  It  propagated  across  the  Nation 
with  enormous  speed  and  tried  several  different 
ways  to  infect  computer  systems  it  invaded  until 
it  gained  access  and  destroyed  files.  It  went 
from  nonexistent  to  nationwide  in  an  hour, 
lasted  for  days,  and  attacked  86,000  computers. 

Speed  is  also  increasing.  C  onsider  that  two 
months  before  N I M  D  A ,  a  cyber  attack  called 
C  ode  Red  infected  150,000  computer  systems 
in  14  hours. 

Because  of  the  increasing  sophistication  of 
computer  attack  tools,  an  increasing  number  of 
actors  are  capable  of  launching  nationally 
significant  assaults  against  our  infrastructures 
and  cyberspace.  In  peacetime  America's  enemies 
may  conduct  espionage  on  our  G  overnment, 
university  research  centers,  and  private 
companies.  T  hey  may  also  seek  to  prepare  for 
cyber  strikes  during  a  confrontation  by  mapping 
U.S.  information  systems,  identifying  key 
targets,  lacing  our  infrastructure  with  back 
doors  and  other  means  of  access.  I  n  wartime  or 
crisis,  adversaries  may  seek  to  intimidate  the 
nation's  political  leaders  by  attacking  critical 
infrastructures  and  key  economic  functions  or 
eroding  public  confidence  in  information 
systems. 

C  yber  attacks  on  U.S.  information  networks  can 
have  serious  consequences  such  as  disrupting 
critical  operations,  causing  loss  of  revenue  and 
intellectual  property,  or  loss  of  life.  Countering 
such  attacks  requires  the  development  of  robust 
capabilities  where  they  do  not  exist  today  if  we 
are  to  reduce  vulnerabilities  and  deter  those 
with  the  capabilities  and  intent  to  harm  our 
critical  infrastructures. 

C  yberspace  provides  a  means  for  organized 
attack  on  our  infrastructure  from  a  distance. 

T  hese  attacks  require  only  commodity 
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technology,  and  enable  attackers  to  obfuscate 
their  identities,  locations,  and  paths  of  entry. 

N  ot  only  does  cyberspace  provide  the  ability  to 
exploit  weaknesses  in  our  critical  infrastructures, 
but  it  also  provides  a  fulcrum  for  leveraging 
physical  attacks  by  allowing  the  possibility  of 
disrupting  communications,  hindering  U.S. 
defensive  or  offensive  response,  or  delaying 
emergency  responders  who  would  be  essential 
following  a  physical  attack. 

In  the  last  century,  geographic  isolation  helped 
protect  the  U  nited  States  from  a  direct  physical 
invasion.  In  cyberspace  national  boundaries 
have  little  meaning.  Information  flows  continu¬ 
ously  and  seamlessly  across  political,  ethnic,  and 
religious  divides.  Even  the  infrastructure  that 
makes  up  cyberspace—  software  and  hardware— 
is  global  in  its  design  and  development.  Because 
of  the  global  nature  of  cyberspace,  the  vulnera¬ 
bilities  that  exist  are  open  to  the  world  and 
available  to  anyone,  anywhere,  with  sufficient 
capability  to  exploit  them. 

Reduce  Vulnerabilities  in  the  Absence 
of  Known  Threats 

W  hilethe  N  ation's critical  infrastructures 
must,  of  course,  deal  with  specific  threats  as 
they  arise,  waiting  to  learn  of  an  imminent 
attack  before  addressing  important  critical 
infrastructure  vulnerabilities  is  a  risky  and 
unacceptable  strategy.  C  yber  attacks  can  burst 
onto  the  N  ation's  networks  with  little  or  no 
warning  and  spread  so  fast  that  many  victims 
never  have  a  chance  to  hear  the  alarms.  E  ven 
with  forewarning,  they  likely  would  not  have 
had  the  time,  knowledge,  or  tools  needed 
to  protect  themselves.  I  n  some  cases  creating 
defenses  against  these  attacks  would  have 
taken  days. 

A  key  lesson  derived  from  these  and  other  such 
cyber  attacks  is  that  organizations  that  rely  on 
networked  computer  systems  must  take 
proactive  steps  to  identify  and  remedy  their 
vulnerabilities,  rather  than  waiting  for  an 
attacker  to  be  stopped  or  until  alerted  of  an 


impending  attack.  Vulnerability  assessment  and 
remediation  activities  must  be  ongoing.  An 
information  technology  security  audit 
conducted  by  trained  professionals  to  identify 
infrastructure  vulnerabilities  can  take  months. 
Subsequently,  the  process  of  creating  a  multi¬ 
layered  defense  and  a  resilient  network  to 
remedy  the  most  serious  vulnerabilities  could 
take  several  additional  months.  T  he  process 
must  then  be  regularly  repeated. 

Threat  and  Vulnerability:  A  Five-Level 
Problem 

M  anaging  threat  and  reducing  vulnerability  in 
cyberspace  is  a  particularly  complex  challenge 
because  of  the  number  and  range  of  different 
types  of  users.  C  yberspace  security  requires 
action  on  multiple  levels  and  by  a  diverse  group 
of  actors  because  literally  hundreds  of  millions 
of  devices  are  interconnected  by  a  network  of 
networks.  T  he  problem  of  cyberspace  security 
can  be  best  addressed  on  five  levels. 

L evel  1,  the H  ome U ser/ Small  Business 

T  hough  not  a  part  of  a  critical  infrastructure 
the  computers  of  home  users  can  become  part 
of  networks  of  remotely  controlled  machines 
that  are  then  used  to  attack  critical  infrastruc¬ 
tures.  Undefended  home  and  small  business 
computers,  particularly  those  using  digital 
subscriber  line  (D  SL )  or  cable  connections,  are 
vulnerable  to  attackers  who  can  employ  the  use 
of  those  machines  without  the  owner's 
knowledge.  G  roups  of  such  "zombie"  machines 
can  then  be  used  by  third-party  actors  to  launch 
denial- of- service  (D  oS)  attacks  on  key  I  nternet 
nodes  and  other  important  enterprises  or 
critical  infrastructures. 

L  evel  2,  L  arge  E  nterprises 

L  arge- scale  enterprises  (corporations, 
government  agencies,  and  universities)  are 
common  targets  for  cyber  attacks.  M  any  such 
enterprises  are  part  of  critical  infrastructures. 

E  nterprises  require  clearly  articulated,  active 
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information  security  policies  and  programs  to 
audit  compliance  with  cybersecurity  best 
practices.  According  to  the  U.S.  intelligence 
community,  American  networks  will  be  increas¬ 
ingly  targeted  by  malicious  actors  both  for  the 
data  and  the  power  they  possess. 

L  evel  3,  C  ritical  Sectors/ 1  nfrastructures 

W  hen  organizations  in  sectors  of  the  economy, 
government,  or  academia  unite  to  address 
common  cybersecurity  problems,  they  can  often 
reduce  the  burden  on  individual  enterprises. 
Such  collaboration  often  produces  shared  insti¬ 
tutions  and  mechanisms,  which,  in  turn,  could 
have  cyber  vulnerabilities  whose  exploitation 
could  directly  affect  the  operations  of  member 
enterprises  and  the  sector  as  a  whole. 

E  nterprises  can  also  reduce  cyber  risks  by 
participating  in  groups  that  develop  best 
practices,  evaluate  technological  offerings, 
certify  products  and  services,  and  share  infor¬ 
mation. 

Several  sectors  have  formed  Information 
Sharing  and  Analysis  Centers  (I SAC s)  to 
monitor  for  cyber  attacks  directed  against  their 
respective  infrastructures.  I  SAC  s  are  also  a 
vehicle  for  sharing  information  about  attack 
trends,  vulnerabilities,  and  best  practices. 

L  evel  4,  N  ational  I  ssues  and  Vulnerabilities 

Some  cybersecurity  problems  have  national 
implications  and  cannot  be  solved  by  individual 
enterprises  or  infrastructure  sectors  alone.  A II 
sectors  share  the  I  nternet.  Accordingly,  they  are 
all  at  risk  if  its  mechanisms  (e.g.,  protocols  and 
routers)  are  not  secure.  Weaknesses  in  widely 
used  software  and  hardware  products  can  also 
create  problems  at  the  national  level,  requiring 
coordinated  activities  for  the  research  and 
development  of  improved  technologies. 
Additionally,  the  lack  of  trained  and  certified 
cybersecurity  professionals  also  merits  national- 
level  concern. 


L  evel  5,  G  lobal 

T  he  worldwide  web  is  a  planetary  information 
grid  of  systems.  I  nternationally  shared  standards 
enable  interoperability  among  the  world's 
computer  systems.  T  his  interconnectedness, 
however,  also  means  that  problems  on  one 
continent  have  the  potential  to  affect  computers 
on  another.  W e  therefore  rely  on  international 
cooperation  to  share  information  related  to 
cyber  issues  and,  further,  to  prosecute  cyber 
criminals.  W  ithout  such  cooperation,  our 
collective  ability  to  detect,  deter,  and  minimize 
the  effects  of  cyber-  based  attacks  would  be 
greatly  diminished. 

New  Vulnerabilities  Requiring 
Continuous  Response 

N  ew  vulnerabilities  are  created  or  discovered 
regularly.  T  he  process  of  securing  networks  and 
systems,  therefore,  must  also  be  continuous. 

T  he  C omputer  E  mergency  Response 
Team/Coordination  C enter  (CERT/CC)  notes 
that  not  only  are  the  numbers  of  cyber  incidents 
and  attacks  i ncreasi ng  at  an  alarming  rate,  so 
too  are  the  numbers  of  vulnerabilities  that  an 
attacker  could  exploit.  Identified  computer 
security  vulnerabilities— faults  in  software  and 
hardware  that  could  permit  unauthorized 
network  access  or  allow  an  attacker  to  cause 
network  damage— increased  significantly  from 
2000  to  2002,  with  the  number  of  vulnerabil¬ 
ities  going  from  1,090  to  4,129. 

T  he  mere  installation  of  a  network  security 
device  is  not  a  substitute  for  maintaining  and 
updating  a  network's  defenses.  N  inety  percent 
of  the  participants  in  a  recent  Computer 
Security  I  nstitute  survey  reported  using 
antivirus  software  on  their  network  systems,  yet 
85  percent  of  their  systems  had  been  damaged 
by  computer  viruses.  I  n  the  same  survey,  89 
percent  of  the  respondents  had  installed 
computer  firewalls,  and  60  percent  had 
intrusion  detection  systems.  Nevertheless,  90 
percent  reported  that  security  breaches  had 
taken  place,  and  40  percent  of  their  systems  had 


8THE  NATIONAL  STRATEGY  TO  SECURE  CYBERSPACE 


CYBERSPACE  THREATS  AND  VULNERABILITIES 


Roles  and  Responsibilites  in  Securing  Cyberspace 
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been  penetrated  from  outside  their  network. 

T  he  majority  of  security  vulnerabilities  can  be 
mitigated  through  good  security  practices.  As 
these  survey  numbers  indicate,  however, 
practicing  good  security  includes  more  than 
simply  installing  those  devices.  It  also  requires 
operating  them  correctly  and  keeping  them 
current  through  regular  patching  and  virus 
updates. 

Cybersecurity  and  Opportunity  Cost 

For  individual  companies  and  the  national 
economy  as  a  whole,  improving  computer 
security  requires  investing  attention,  time,  and 
money.  For  fiscal  year  2003,  President  Bush 
requested  that  C  ongress  increase  funds  to 
secure  federal  computers  by  64  percent. 
President  Bush's  investment  in  securing  federal 
computer  networks  now  will  eventually  reduce 
overall  expenditures  through  cost-saving 
E  -G  overnment  solutions,  modern  enterprise 
management,  and  by  reducing  the  number  of 
opportunities  for  waste  and  fraud. 


For  the  national  economy—  particularly 
its  information  technology  industry 
component— the  dearth  of  trusted,  reliable, 
secure  information  systems  presents  a  barrier  to 
future  growth.  M  uch  of  the  potential  for 
economic  growth  made  possible  by  the 
information  technology  revolution  has  yet  to  be 
realized— deterred  in  part  by  cyberspace 
security  risks.  C  yberspace  vulnerabilities  place 
more  than  transactions  at  risk;  they  jeopardize 
intellectual  property,  business  operations, 
infrastructure  services,  and  consumer  trust. 

Conversely,  cybersecurity  investments  result  in 
more  than  costly  overhead  expenditures.  T  hey 
produce  a  return  on  investment.  Surveys 
repeatedly  show  that: 

•Although  the  likelihood  of  suffering  a 
severe  cyber  attack  is  difficult  to  estimate, 
the  costs  associated  with  a  successful  one 
are  likely  to  be  greater  than  the  investment 
in  a  cybersecurity  program  to  prevent  it;  and 


THE  NATIONAL  STRATEGY  TO  SECURE  CYBERSPACE  9 


CYBERSPACE  THREATS  AND  VULNERABILITIES 


•  D  esigning  strong  security  protocols  into 
the  information  systems  architecture  of  an 
enterprise  can  reduce  its  overall  opera¬ 
tional  costs  by  enabling  cost- saving 
processes,  such  as  remote  access  and 
customer  or  supply- chain  interactions, 
which  could  not  occur  in  networks  lacking 
appropriate  security. 

T  hese  results  suggest  that,  with  greater 
awareness  of  the  issues,  companies  can  benefit 
from  increasing  their  levels  of  cybersecurity. 

G  reater  awareness  and  voluntary  efforts  are 
critical  components  of  the  N  ational  Strategy  to 
Secure  Cyberspace. 

Individual  and  National  Risk 
Management 

U  ntil  recently  overseas  terrorist  networks  had 
caused  limited  damage  in  the  U  nited  States.  0  n 
September  11,  2001,  that  quickly  changed.  0  ne 
estimate  places  the  increase  in  cost  to  our 
economy  from  attacks  to  U.S.  information 
systems  at  400  percent  over  four  years.  W  hile 
those  losses  remain  relatively  limited,  that  too 
could  change  abruptly. 

Every  day  in  the  U  nited  States  individual 
companies,  and  home  computer  users,  suffer 
damage  from  cyber  attacks  that,  to  the  victims, 
represent  significant  losses.  C  onditions  likewise 
exist  for  relative  measures  of  damage  to  occur 
on  a  national  level,  affecting  the  networks  and 
systems  on  which  the  N  ation  depends: 

•  Potential  adversaries  have  the  intent; 

•Tools  that  support  malicious  activities  are 
broadly  available;  and, 

•  Vulnerabilities  of  the  N  ation's  systems  are 
many  and  well  known. 

N  o  single  strategy  can  completely  eliminate 
cyberspace  vulnerabilities  and  their  associated 
threats.  N  evertheless,  the  N  ation  must  act  to 
manage  risk  responsibly  and  to  enhance  its 
ability  to  minimize  the  damage  that  results 


from  attacks  that  do  occur.  T  hrough  this 
statement,  we  reveal  nothing  to  potential  foes 
that  they  and  others  do  not  already  know.  I  n 
1997  a  Presidential  Commission  identified  the 
risks  in  a  seminal  public  report.  In  2000  the 
first  national  plan  to  address  the  problem  was 
published.  Citing  these  risks,  President  Bush 
issued  an  Executive  Order  in  2001,  making 
cybersecurity  a  priority,  and  accordingly, 
increasing  funds  to  secure  federal  networks. 

I  n  2002  the  President  moved  to  consolidate  and 
strengthen  federal  cybersecurity  agencies  as 
part  of  the  proposed  D  epartment  of  H  omeland 
Security. 
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Government  Alone  Cannot  Secure 
Cyberspace 

D  espite  increased  awareness  around  the 
importance  of  cybersecurity  and  the  measures 
taken  thus  far  to  improve  our  capabilities,  cyber 
risks  continue  to  underlie  our  national  infor¬ 
mation  networks  and  the  critical  systems  they 
manage.  Reducing  that  risk  requires  an 
unprecedented,  active  partnership  among 
diverse  components  of  our  country  and  our 
global  partners. 


The  federal  government  could  not— and, 
indeed,  should  not— secure  the  computer 
networks  of  privately  owned  banks,  energy 
companies,  transportation  firms,  and  other  parts 
of  the  private  sector.  T  he  federal  government 
should  likewise  not  intrude  into  homes  and 
small  businesses,  into  universities,  or  state  and 
local  agencies  and  departments  to  create  secure 
computer  networks.  E  ach  A  merican  who 
depends  on  cyberspace,  the  network  of 
information  networks,  must  secure  the  part  that 
they  own  or  for  which  they  are  responsible. 
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National  Policy  and  Guiding  Principles 


National  Policy,  Principles,  and 
Organization 

This  section  describes  the  national  policy  that 
shapes  the  N  ational  Strategy  to  Secure  Cyberspace 
and  the  basic  framework  of  principles  within 
which  it  was  developed.  It  also  outlines  the 
roles  and  missions  of  federal  agencies. 

National  Policy 

The  information  technology  revolution  has 
changed  the  way  business  is  transacted, 
government  operates,  and  national  defense  is 
conducted.  T  hese  three  functions  now  depend 
on  an  interdependent  network  of  critical  infor¬ 
mation  infrastructures  that  we  refer  to  as 
"cyberspace." 


It  is  the  policy  of  the  United  States  to  prevent 
or  minimize  disruptions  to  critical  information 
infrastructures  and  thereby  protect  the  people, 
the  economy,  the  essential  human  and 
government  services,  and  the  national  security 
of  the  U  nited  States.  D  isruptions  that  do  occur 
should  be  infrequent,  of  minimal  duration  and 
manageable  and  cause  the  least  damage 
possible.  The  policy  requires  a  continuous  effort 
to  secure  information  systems  for  critical  infra¬ 
structure  and  includes  voluntary  public- private 
partnerships  involving  corporate  and 
nongovernmental  organizations. 

C  onsi stent  with  the  objectives  of  the  N  ational 
Strategy  for  H  omeland  Security,  the  objectives  of 
the  N  ational  Strategy  to  Secure  Cyberspace  are  to: 
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•  Prevent  cyber  attacks  against  our  critical 
infrastructures; 

•  Reduce  our  national  vulnerabilities  to 
cyber  attack;  and, 

•  M  inimize  the  damage  and  recovery  time 
from  cyber  attacks  that  do  occur. 

Guiding  Principles 

In  January  2001,  the  Administration  began  to 
review  the  role  of  information  systems  and 
cybersecurity.  In  October  2001,  President  Bush 
issued  E  xecutive  0  rder  13231,  authorizing  a 
protection  program  that  consists  of  continuous 
efforts  to  secure  information  systems  for  critical 
infrastructure,  including  emergency 
preparedness  communications  and  the  physical 
assets  that  support  such  systems.  T  he  Federal 
Information  Security  M  anagement  Act 
(F I SM  A )  and  E  xecutive  0  rder  13231,  together 
with  other  relevant  Presidential  directives  and 
statutory  authorities,  provide  the  framework  for 
executive  branch  cyberspace  security 
activities. 

T  he  protection  of  these  cyber  systems  is 
essential  to  every  sector  of  the  economy.  T  he 
development  and  implementation  of  this 
program  directive  has  been  guided  by  the 
following  organizing  principles: 

1.  A  National  E  ffort:  Protecting  the  widely 
distributed  assets  of  cyberspace  requires 
the  efforts  of  many  A  mericans.  T  he 
federal  government  alone  cannot  defend 
A  merica's  cyberspace.  0  ur  traditions  of 
federalism  and  limited  government 
require  that  organizations  outside  the 
federal  government  take  the  lead  in  many 
of  these  efforts.  T  he  government's  role  in 
securing  cyberspace  includes  promoting 
better  security  in  privately  owned  infra¬ 
structures  when  there  is  a  need  to; 

•  Convene  and  facilitate  discussions 
between  and  with  nongovernmental 
entities; 


•  I  dentify  instances  where  the  "tragedy 
of  the  commons"  can  affect 
homeland,  national,  and  economic 
security;  and 

•  Share  information  about  cyber 
threats  and  vulnerabilities  so 
nongovernmental  entities  can  adjust 
their  risk  management  strategies  and 
plans,  as  appropriate. 

I  n  every  case,  the  scope  for  government 
involvement  is  limited  to  those  cases 
when  the  benefits  of 
intervention  outweigh  the  direct  and 
indirect  costs. 

E  very  A  merican  who  can  contribute  to 
securing  part  of  cyberspace  is 
encouraged  to  do  so.  T  he  federal 
government  promotes  the  creation  of, 
and  participation  in,  public- private 
partnerships  to  raise  awareness,  train 
personnel,  stimulate  market  forces, 
improve  technology,  identify  and 
remediate  vulnerabilities,  exchange 
information,  and  plan  recovery  opera¬ 
tions.  M  any  sectors  have  undertaken  the 
important  step  of  developing  I  SAC  s, 
which  facilitate  communication,  the 
development  of  best  practices,  and  the 
dissemination  of  security- related  infor¬ 
mation.  I  n  addition,  various  sectors  have 
developed  plans  to  secure  their  parts  of 
cyberspace,  which  complement  this 
Strategy,  and  the  government  intends 
for  this  productive  and  collaborative 
partnership  to  continue. 

2.  Protect  Privacy  and  Civil  L  ibertiee:  T  he 
abuse  of  cyberspace  infringes  on  our 
privacy  and  our  liberty.  It  is  incumbent 
on  the  federal  government  to  avoid  such 
abuse  and  infringement.  Cybersecurity 
and  personal  privacy  need  not  be 
opposing  goals.  Cyberspace  security 
programs  must  strengthen,  not  weaken, 
such  protections.  Accordingly,  care  must 
betaken  to  respect  privacy  interests  and 
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other  civil  liberties.  C  onsumers  and 
operators  must  have  confidence  their 
voluntarily  shared,  nonpublic  information 
will  be  handled  accurately,  confidentially, 
and  reliably.  The  federal  government  will 
lead  by  example  in  implementing  strong 
privacy  policies  and  practices  in  the 
agencies.  A  s  part  of  this  process,  the 
federal  government  will  consult  regularly 
with  privacy  advocates  and  experts. 

3.  R  egulation  and  M  arket  Forces:  federal 
regulation  will  not  become  a  primary 
means  of  securing  cyberspace.  Broad 
regulations  mandating  how  all  corpora¬ 
tions  must  configure  their  information 
systems  could  divert  more  successful 
efforts  by  creating  a  lowest- common- 
denominator  approach  to  cybersecurity, 
which  evolving  technology  would  quickly 
marginalize.  Even  worse,  such  an 
approach  could  result  in  less  secure  and 
more  homogeneous  security  architectures 
than  we  have  now.  By  law,  some  federal 
regulatory  agencies  already  include  cyber¬ 
security  considerations  in  their  oversight 
activity.  H  owever,  the  market  itself  is 
expected  to  provide  the  major  impetus  to 
improve  cybersecurity. 

4.  Accountability  and  R  esponsibility:  T  he 
N  ational  Strategy  to  Secure  Cyberspace  is 
focused  on  producing  a  more  resilient 
and  reliable  information  infrastructure. 

W  hen  possible,  it  designates  lead 
executive  branch  departments  or  agencies 
for  federal  cyberspace  security  initiatives. 
0  n  N  ovember  25,  2002,  the  President 
signed  the  H  omeland  Security  Act  of  2002 
establishing  the  D  epartment  of 

H  omeland  Security  (D  H  S).  D  H  S  will  be 
responsible  for  many  of  the  initiatives 
outlined  in  the  N  ational  Strategy  to  Secure 
Cyberspace.  T  he  Strategy  also  recommends 
actions  federal,  state  and  local  govern¬ 
ments,  the  private  sector,  and  the 
A  merican  people  can  take  to  help  secure 
cyberspace. 


5.  E  nsureF  lexibility:  C  yber  threats  change 
rapidly.  Accordingly,  the  National  Strategy 
to  Secure  Cyberspace  emphasizes  flexibility 
in  our  ability  to  respond  to  cyber  attacks 
and  manage  vulnerability  reduction.  T  he 
rapid  development  of  attack  tools 
provides  potential  attackers  with  a 
strategic  advantage  to  adapt  their 
offensive  tactics  quickly  to  target 
perceived  weaknesses  in  networked  infor¬ 
mation  systems  and  organizations' 
abilities  to  respond.  Flexible  planning 
allows  organizations  to  reassess  priorities 
and  realign  resources  as  the  cyber  threat 
evolves. 

6.  M  ulti-Year  Planning:  Securing  cyberspace 
is  an  ongoing  process,  as  new 
technologies  appear  and  new  vulnerabil¬ 
ities  are  identified.!  he  National  Strategy 
to  Secure  Cyberspace  provides  an  initial 
framework  for  achieving  cyberspace 
security  objectives.  D  epartments  and 
agencies  should  adopt  multi-year  cyberse¬ 
curity  plans  for  sustaining  their  respective 
roles.  Other  public-  and  private- sector 
organizations  are  also  encouraged  to 
consider  multi-year  plans. 

Department  of  Homeland  Security  and 
Cyberspace  Security 

D  H  S  unites  22  federal  entities  for  the  common 
purpose  of  improving  homeland  security.  The 
D  epartment  also  creates  a  focal  point  for 
managing  cyberspace  incidents  that  could 
impact  the  federal  government  or  even  the 
national  information  infrastructures. The 
Secretary  of  H  omeland  Security  will  have 
important  responsibilities  in  cyberspace  security, 
including: 

•  D  eveloping  a  comprehensive  national  plan 
for  securing  the  key  resources  and  critical 
infrastructures  of  the  U  nited  States, 
including  information  technology  and 
telecommunications  systems  (including 
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CRITICAL  INFRASTRUCTURE  LEAD  AGENCIES 

LEAD  AGENCY 

SECTORS 

Department  of  Homeland  Security 

•  Information  and  Telecommunications 
•Transportation  (aviation,  rail,  mass  transit,  waterborne 

commerce,  pipelines,  and  highways  (including  trucking 
and  intelligent  transportation  systems) 

•  Postal  and  Shipping 

•  Emergency  Services 

•  Continuity  of  Government 

Department  of  the  Treasury 

•  Banking  and  Finance 

Department  of  Health  and  Human  Services 

•  Public  Health  (including  prevention,  surveillance,  laboratory 
services,  and  personal  health  services) 

•  Food  (all  except  for  meat  and  poultry) 

Department  of  Energy 

•  Energy  (electric  power,  oil  and  gas  production,  and  storage) 

Environmental  Protection  Agency 

•Water 

•Chemical  Industry  and  Hazardous  Materials 

Department  of  Agriculture 

•Agriculture 

•  Food  (meat  and  poultry) 

Department  of  Defense 

•  Defense  Industrial  Base 

satellites)  and  the  physical  and  techno¬ 
logical  assets  that  support  such  systems; 

•  Providing  crisis  management  support  in 
response  to  threats  to,  or  attacks  on, 
critical  information  systems; 

•  Providing  technical  assistance  to  the 
private  sector  and  other  governmental 
entities  with  respect  to  emergency 
recovery  plans  that  respond  to  major 
failures  of  critical  information  systems; 


•Coordinating  with  other  federal  agencies 
to  provide  specific  warning  information 
and  advice  about  appropriate  protective 
measures  and  countermeasures  to  state 
and  local  government  agencies  and 
authorities,  the  private  sector,  other 
entities,  and  the  public;  and 

•  Performing  and  funding  research  and 
development  along  with  other  agencies 
that  will  lead  to  new  scientific  under¬ 
standing  and  technologies  in  support  of 
homeland  security. 
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Designation  of  Coordinating  Agencies 

A  productive  partnership  between  the  federal 
government  and  the  private  sector  depends  on 
effective  coordination  and  communication.  To 
facilitate  and  enhance  this  collaborative 
structure,  the  government  has  designated 
a  "L  ead  A  gency”  for  each  of  the  major  sectors 
of  the  economy  vulnerable  to  infrastructure 
attack.  I  n  addition,  the  0  ffice  of  Science  and 
T echnology  Policy  (0  ST  P )  coordinates  research 
and  development  to  support  critical  infra¬ 
structure  protection,  The  Office  of 
M  anagement  and  Budget  (OMB)  oversees  the 
implementation  of  governmentwide  policies, 
principles,  standards,  and  guidelines  for  federal 
government  computer  security  programs.  T  he 
D  epartment  of  State  coordinates  international 
outreach  on  cybersecurity.  T  he  D  irector  of 
Central  Intelligence  is  responsible  for  assessing 
the  foreign  threat  to  U.S.  networks  and  infor¬ 
mation  systems.  T  he  D  epartment  of  J  ustice 
(DOJ)  and  the  Federal  Bureau  of  Investigation 
(FBI)  lead  the  national  effort  to  investigate  and 
prosecute  cybercrime. 


The  government  will  continue  to  support  the 
development  of  public- private  partnerships. 
Working  together,  sector  representatives  and 
federal  lead  agencies  assess  their  respective 
sectors'  vulnerabilities  to  cyber  or  physical 
attacks  and,  accordingly,  recommend  plans  or 
measures  to  eliminate  significant  exposures. 

Both  technology  and  the  threat  environment 
can  change  rapidly.  T  herefore,  sectors  and 
lead  agencies  should  frequently  assess  the 
reliability,  vulnerability,  and  threat  environments 
of  the  N  ation's  infrastructures  and  employ 
appropriate  protective  measures  and  responses 
to  safeguard  them. 

The  government's  full  authority,  capabilities, 
and  resources  must  be  available  to  support 
critical  infrastructure  protection  efforts.  T  hese 
include,  as  appropriate,  crisis  management,  law 
enforcement,  regulation,  foreign  intelligence, 
and  defense  preparedness. 


THE  NATIONAL  STRATEGY  TO  SECURE  CYBERSPACE  17 


NATIONAL  POLICY  AND  GUIDING  PRINCIPLES 


18THE  NATIONAL  STRATEGY  TO  SECURE  CYBERSPACE 


PRIORITY  I 


Priority  I:  A  National  Cyberspace 
Security  Response  System 


I  n  the  1950s  and  1960s,  our  N  ation  became 
vulnerable  to  attacks  from  aircraft  and  missiles 
for  the  fi  rst  time.  T  he  federal  government 
responded  by  creating  a  national  system  to: 
monitor  our  airspace  with  radar  to  detect 
unusual  activity,  analyze  and  warn  of  possible 
attacks,  coordinate  our  fighter  aircraft  defenses 
during  an  attack,  and  restore  our  N  ation  after 
an  attack  through  civil  defense  programs. 

T oday,  the  N  ation's  critical  assets  could  be 
attacked  through  cyberspace.  T  he  U  nited  States 
now  requires  a  different  kind  of  national 
response  system  in  order  to  detect  potentially 
damaging  activity  in  cyberspace,  to  analyze 
exploits  and  warn  potential  victims,  to 


coordinate  incident  responses,  and  to  restore 
essential  services  that  have  been  damaged. 

T  he  fact  that  the  vast  majority  of  cyberspace  is 
neither  owned  nor  operated  by  any  single  group 
—  public  or  private—  presents  a  challenge  for 
creating  a  N  ational  C yberspace  Security 
Response  System.  T  here  is  no  synoptic  or 
holistic  view  of  cyberspace.  T  herefore,  there  is 
no  panoramic  vantage  point  from  which  we  can 
see  attacks  coming  or  spreading.  I  nformation 
that  indicates  an  attack  has  occurred  (worms, 
viruses,  denial- of- service  attacks)  accumulates 
through  many  different  organizations.  H  owever, 
there  is  no  organized  mechanism  for  reviewing 
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these  indicators  and  determining  their 
implications. 

T o  mitigate  the  impact  of  cyber  attacks,  infor¬ 
mation  about  them  must  disseminate  widely 
and  quickly.  A  nalytical  and  incident  response 
capabilities  that  exist  in  numerous  organizations 
could  be  coordinated  to  determine  how  to  best 
defend  against  an  attack,  mitigate  effects,  and 
restore  service. 

E  stablishing  a  proper  administrative  mechanism 
for  the  N  ational  C  yberspace  Security  Response 
System  presents  another  challenge.  U  nlike  the 
U.S.  airspace- monitoring  program  during  the 
Cold  War,  individuals  who  operate  the  systems 
that  enable  and  protect  cyberspace  usually  are 
not  federal  employees.  T  hus,  the  N  ational 
Cyberspace  Security  Response  System  must 
operate  from  a  less  formal,  collaborative 
network  of  governmental  and  nongovernmental 
organizations. 

D  H  S  is  responsible  for  developing  the  national 
cyberspace  security  response  system,  which 
includes: 

•  Providing  crisis  management  support  in 
response  to  threats  to,  or  attacks  on, 
critical  information  systems;  and 

•Coordinating  with  other  agencies  of  the 
federal  government  to  provide  specific 
warning  information,  and  advice  about 
appropriate  protective  measures  and 
countermeasures,  to  state  and  local 
government  agencies  and  authorities, 
the  private  sector,  other  entities,  and 
the  public. 

D  H  S  will  lead  and  synchronize  efforts  for  the 
N  ational  C  yberspace  Security  Response  System 
as  part  of  its  overall  information  sharing  and 
crisis  coordination  mandate;  however,  the 
system  itself  will  consist  of  many  organizations 
from  both  government  and  private  sectors.  The 
authorizing  legislation  for  the  D  epartment  of 
H  omeland  Security  also  created  the  position  of 
a  privacy  officer  to  ensure  that  any  mechanisms 


The  National  Cyberspace  Security 
Response  System 

T  he  N  ational  C  yberspace  Security 
Response  System  is  a  public- private  archi¬ 
tecture,  coordinated  by  the  D  epartment  of 
H  omeland  Security,  for  analyzing  and 
warning;  managing  incidents  of  national 
significance;  promoting  continuity  in 
government  systems  and  private  sector 
infrastructures;  and  increasing  information 
sharing  across  and  between  organizations  to 
improve  cyberspace  security.  T  he  N  ational 
Cyberspace  Security  Response  System  will 
include  governmental  entities  and 
nongovernmental  entities,  such  as  private 
sector  information  sharing  and  analysis 
centers  (ISACs). 

associated  with  the  N  ational  Cyberspace 
Security  Response  System  appropriately  balance 
its  mission  with  civil  liberty  and  privacy 
concerns.  T  his  officer  will  consult  regularly  with 
privacy  advocates,  industry  experts,  and  the 
public  at  large  to  ensure  broad  input  and 
consideration  of  privacy  issues  so  that  we 
achieve  solutions  that  protect  privacy  while 
enhancing  security. 

Among  the  system  components  outlined  below 
are  existing  federal  programs  and  new  federal 
initiativespending  budget-review  consideration, 
as  well  as  initiatives  recommended  for  our 
partners. 

A.  ESTABLISH  PUBLIC-PRIVATE 
ARCHITECTURE  FOR  RESPONDING 
TO  NATIONAL-LEVEL  CYBER 
INCIDENTS 

Establishing  the  N  ational  Cyberspace  Security 
Response  System  will  not  require  an  expensive 
or  bureaucratic  federal  program.  I  n  many  cases 
the  system  will  augment  the  capabilities  of 
several  important  federal  entities  with  existing 
cyberspace  security  responsibilities,  which  are 
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National  Cyberspace  Security  Response  System 


DHS  Analysis  Center 


•Strategic  group 
•Tactical  group 
•Vulnerability 
assessments 


DHS  Incident  Operations 
Center 


DHS  Incident 
Management  Structure 


National  Response 
Contingency  Plans 


•  Cyber  Warning  and 
Information  Network 
•ISACs 


•  Federal  coordination 

•  Private,  state  and 
local  coordination 


•  Federal  plans 

•  Private  plan 
coordination 


now  part  of  D  H  S.  T  he  synergy  that  results 
from  integrating  the  resources  of  the  N  ational 
Communications  System,  the  N  ational 
I  nfrastructure  Protection  C  enter's  analysis  and 
warning  functions,  the  Federal  Computer 
I  ncident  Response  C  enter,  the  Office  of  E  nergy 
Assurance,  and  the  C  ritical  I  nfrastructure 
Assurance  Office  under  the  purview  of  the 
U  nder  Secretary  for  I  nformation  A  nalysis  and 
Infrastructure  Protection  will  help  build  the 
necessary  foundation  for  the  N  ational 
C yberspace  Security  Response  System. 

T  he  N  ation's  private- sector  networks  are 
increasingly  targeted,  and  they  will  therefore 
likely  be  the  first  organizations  to  detect  attacks 
with  potential  national  significance. Thus, 

I  SAC  swill  play  an  increasingly  important  role 
in  the  N  ational  Cyberspace  Security  Response 
System  and  the  overall  missions  of  homeland 
security.  ISACs  possess  unique  operational 
insight  into  their  industries'  core  functions  and 
will  help  provide  the  necessary  analysis  to 
support  national  efforts. 

Typically,  an  I  SAC  is  an  industry- led 
mechanism  for  gathering,  analyzing,  sanitizing, 
and  disseminating  sector- specific  security  infor¬ 
mation  and  articulating  and  promulgating  best 


practices.  ISACs  are  designed  by  the  various 
sectors  to  meet  their  respective  needs  and 
financed  through  their  memberships.  D  H  S  will 
work  closely  with  ISACs  as  appropriate  to 
ensure  that  they  receive  timely  and  actionable 
threat  and  vulnerability  data  and  to  coordinate 
voluntary  contingency  planning  efforts.  T  he 
federal  government  encourages  the  private 
sector  to  continue  to  establish  I  SAC  sand, 
further,  to  enhance  the  analytical  capabilities  of 
existing  ISACs. 

1.  A  nalysis 

a.  P  rovide  for  the  D  evelopment  of  T actical  and 
Strategic  A  nalysis  of  C  yber  A  ttacks  and 
Vulnerability  Assessments 

A  nalysis  is  the  first  step  toward  gaining 
important  insight  about  a  cyber  incident, 
including  the  nature  of  attack,  the  information 
it  compromised,  and  the  extent  of  damage  it 
caused.  A  nalysis  can  also  provide  an  indication 
of  the  intruder's  possible  intentions,  the 
potential  tools  he  used,  and  the  vulnerabilities 
he  exploited.  T  here  are  three  closely  related, 
but  discrete,  categories  of  analysis  related 
to  cyberspace: 
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(i)  Tactical  analysis  examines  factors  associated 
with  incidents  under  investigation  or  specific, 
identified  vulnerabilities  to  generate  indications 
and  warnings.  Examples  of  tactical  analysis 
include:  examining  the  delivery  mechanism  of  a 
computer  virus  to  develop  and  issue  immediate 
guidance  on  ways  to  prevent  or  mitigate 
damage;  and  studying  a  specific  computer 
intrusion,  or  set  of  intrusions,  to  determine  the 
perpetrator,  his  motive,  and  his  method  of 
attack. 

(ii)  Strategic  analysis  looks  beyond  specific 
incidents  to  consider  broader  sets  of  incidents 
or  implications  that  may  indicate  threats  of 
potential  national  importance.  For  example, 
strategic  analyses  may  identify  long-term  trends 
related  to  threat  and  vulnerability  that  could  be 
used  to  provide  advanced  warnings  of  increasing 
risks,  such  as  emerging  attack  methods. 

Strategic  analysis  also  provides  policymakers 
with  information  they  can  use  to  anticipate  and 
prepare  for  attacks,  thereby  diminishing  the 
damage  they  cause.  Strategic  analysis  also 
provides  a  foundation  to  identify  patterns  that 
can  support  indications  and  warnings. 

(Hi)  Vulnerability  assessments  are  detailed 
reviews  of  cyber  systems  and  their  physical 
components  to  identify  and  study  their 
weaknesses.  Vulnerability  assessments  are  an 
integral  part  of  the  intelligence  cycle  for  cyber¬ 
space  security.  T  hese  assessments  enable 
planners  to  predict  the  consequences  of  possible 
cyber  attacks  against  specific  facilities  or  sectors 
of  the  economy  or  government.  T  hese  projec¬ 
tions  then  allow  infrastructure  owners  and 
operators  to  strengthen  their  defenses  against 
various  types  of  threat.  (This  will  be  discussed 
in  the  Cyberspace  Security  Threat  and 
Vulnerabili  ty  R  educti  on  P  rogram. ) 

D  H  S  will  foster  the  development  of  strong 
analytic  capabilities  in  each  of  these  areas.  It 
should  seek  partnership  and  assistance  from  the 
private  sector,  including  the  I  SAC  s,  in  devel¬ 
oping  these  capabilities. 


2.  Warning 

a.  E  ncouragetheD  evelopmentofa  Private  Sector 
C  apability  to  Share  a  Synoptic  View  of  the 
Health  of  Cyberspace 

T  he  lack  of  a  synoptic  view  of  the  I  nternet 
frustrates  efforts  to  develop  I  nternet  threat 
analysis  and  indication  and  warning  capabilities. 
T  he  effects  of  a  cyber  attack  on  one  sector  have 
the  potential  to  cascade  across  several  other 
sectors,  thereby  producing  significant  conse¬ 
quences  that  could  rapidly  overwhelm  the 
capabilities  of  many  private  companies  and  state 
and  local  governments.  D  H  S's  integration  of 
several  key  federal  cybersecurity  operations 
centers  creates  a  focal  point  for  the  federal 
government  to  manage  cybersecurity 
emergencies  in  its  own  systems,  and,  if 
requested,  facilitate  crisis  management  in 
non-federal  critical  infrastructure  systems. 

Separately,  industry  is  encouraged  to  develop  a 
mechanism— whether  virtual  or  physical— that 
could  enable  the  sharing  of  aggregated 
information  on  Internet  health  to  improve 
analysis,  warning,  response,  and  recovery.  To  the 
extent  permitted  by  law,  this  voluntary 
coordination  of  activities  among  nongovern¬ 
mental  entities  could  enable  different  network 
operators  and  I  nternet  backbone  providers  to 
analyze  and  exchange  data  about  attacks.  Such 
coordination  could  prevent  exploits  from 
escalating  and  causing  damage  or  disruption 
of  vital  systems. 

DHS  will  create  a  angle  point- of- contact  for  the 
federal  government's  interaction  with  industry  and 
other  partners  for  24  x7  functions,  induding 
cyberspace  analysis,  warning,  information  sharing, 
major  inddent  response,  and  national- level 
recovery  efforts.  Private  sector  organizations,  which 
have  major  contributions  for  those  functions,  are 
encouraged  to  coordinate  activities,  as  permitted  by 
law,  in  order  to  provide  a  synoptic  view  of  the 
health  of  cyberspace  on  a  24x7  basis.  (A/R  1-1) 
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h,  E xpand  theCyber  Warning  and  Information 
N  etw ork  to  Support  D  H  Si  R  olein 
C  oordinating  C  risis  M  anagement  for 
Cyberspace 

H  ours  and  minutes  can  make  a  difference 
between  a  major  disruption  and  a  manageable 
incident.  Improving  national  capabilities  for 
warning  requires  a  secure  infrastructure  to 
provide  assured  communications  between 
critical  asset  owners  and  operators  and  their 
service  providers.  T  he  C  yber  W arning  and 
Information  N  etwork  (C  W I N )  will  provide  an 
out-of-band  private  and  secure  communications 
network  for  government  and  industry,  with  the 
purpose  of  sharing  cyber  alert  and  warning 
information.  The  network  will  include  voice 
conferencing  and  data  collaboration. 

W  hile  the  first  phase  was  implemented  between 
the  federal  government  cyber  watch  centers, 

C  W I N  participants  will  ultimately  include 
other  critical  government  and  industry  partners, 
such  as  I  SAC  s  that  deal  with  cyber  threats  on  a 
daily  basis.  As  other  entities  expand  in  this  area, 
membership  will  increase  as  well.  Key  to 
C  W I N  membership  is  the  ability  to  share 
sensitive  cyber  threat  information  in  a  secure, 
protected,  and  trusted  environment. 

As  outlined  in  the2003  budget ,  the  federal 
government  will  complete  the  installation  ofCWIN 
to  key  government  cybersecurity- related  network 
operation  centers,  to  disseminate  analysis  and 
warning  information  and  perform  crisis  coordi¬ 
nation.  T he  federal  government  will  also  explore 
linking  the ISACs to C WIN.  (A/R  1-2) 

3.  N  ational  I  ncident  M  anagement 

E  nhancing  analytical  capabilities  within  D  H  S, 
the  private  sector  ISACs,  and  expanding 
CW  IN  will  contribute  to  the  improvement  of 
national  cyber  incident  management.  H  owever, 
incident  management  within  the  federal 
government  will  still  require  coordination  with 
organizations  other  than  those  being  transferred 
to  D  H  S.  For  example,  the  D  epartments  of 


J  ustice,  D  efense,  and  C  ommerce  all  have  roles 
to  perform  in  response  to  incidents  in 
cyberspace.  W  ithin  the  W  hite  H  ouse  a  number 
offices  have  responsibilities,  including  the 
Office  of  Science  and  Technology  Policy,  which 
is  responsible  for  executing  emergency  telecom¬ 
munications  authorities,  the  N  ational  Security 
Council,  which  coordinates  all  matters  related 
to  national  security  and  international 
cooperation,  and  the  0  ffice  of  M  anagement 
and  B  udget. 

In  addition,  national  incident  management 
capabilities  will  also  integrate  state  chief  infor¬ 
mation  officers  as  well  as  international  entities, 
as  appropriate.  (See,  Priorities IV  and  V.) 

4.  Response  and  Recovery 

a.  C  reate  P  rocesses  to  C  oordinate  the  Voluntary 
D  evelopment  of  N  ational  P  ublic-  P  rivate 
Continuity  and  Contingency  Plans 

A  mong  the  lessons  learned  from  security 
reviews  following  the  events  of  September  11, 
2001,  was  that  federal  agencies  had  vastly 
inconsistent,  and  in  most  cases  incomplete, 
contingency  capabilities  for  their  communica¬ 
tions  and  other  systems.  Contingency  planning 
is  a  key  element  of  cybersecurity.  W  ithout 
adequate  contingency  planning  and  training, 
agencies  may  not  be  able  to  effectively  handle 
disruptions  in  service  and  ensure  business  conti¬ 
nuity.  OM  B,  through  the  Federal  Information 
Security  M  anagement  Act  requirements  and 
with  assistance  from  the  inspectors  general,  is 
holding  agencies  accountable  for  developing 
continuity  plans. 

b  E  xerdse  C  ybersecurity  C  ontinuity  Plans  in 
Federal  Cyber  Systems 

D  H  S  has  the  responsibility  for  providing  crisis 
management  support  in  response  to  threats  to, 
or  attacks  on,  critical  information  systems 
for  other  government  agencies,  state  and  local 
governments  and,  upon  request,  the  private 
sector.  I  n  order  to  establish  a  baseline 
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understanding  of  federal  readiness,  D  H  S  will 
explore  exercises  for  the  civilian  agencies  similar 
to  the  D  efense  D  epartment  "E  ligible  Receiver" 
exercises  that  test  cybersecurity  preparedness. 

To  test  civilian  agencies' security  preparedness 
and  contingency  planning,  DHS  will  use  exercises 
to  evaluate  the  impact  of  cyber  attacks  on 
governmentwide  processes.  Weakn esses  di scov ered 
will  beinduded  in  agency  corrective  action  plans 
and  submitted  toOM  B.  DHS  also  will  explore 
such  exercises  asa  way  to  test  the  coordination  of 
public  and  priv  ate  ind  dent  management,  response 
and  recovery  capabilities.  (A/R  1-3) 

(i)  E  ncourage  increased  cyber  risk  management 
and  business  continuity.  T  here  are  a  number  of 
measures  that  nongovernmental  entities  can 
employ  to  manage  the  risk  posed  by  cyberspace 
and  plan  for  business  continuity.  Risk 
management  is  a  discipline  that  involves  risk 
assessment,  risk  prevention,  risk  mitigation,  risk 
transfer,  and  risk  retention. 

T  here  is  no  special  technology  that  can  make 
an  enterprise  completely  secure.  N  o  matter  how 
much  money  companies  spend  on  cybersecurity, 
they  may  not  be  able  to  prevent  disruptions 
caused  by  organized  attackers.  Some  businesses 
whose  products  or  services  directly  or  indirectly 
impact  the  economy  or  the  health,  welfare  or 
safety  of  the  public  have  begun  to  use  cyber  risk 
insurance  programs  as  a  means  of  transferring 
risk  and  providing  for  business  continuity. 

A  n  important  way  to  reduce  an  organization's 
exposure  to  cyber- related  losses,  as  well  as  to 
help  protect  companies  from  operational  and 
financial  impairment,  is  to  ensure  that  adequate 
contingency  plans  are  developed  and  tested. 

C  orporations  are  encouraged  to  regularly  review 
and  exeraselT  continuity  plans  and  toconsider 
diversity  in  IT  service  providers  as  a  way  of 
mitigating  risk.  (A/R  1-4) 


(ii)  Promote  public-  priv  ate  contingency  planning 
for  cybersecurity.  It  may  not  be  possible  to 
prevent  a  wide-range  of  cyber  attacks.  For  those 
attacks  that  do  occur,  the  N  ation  needs  an 
integrated  public- private  plan  for  responding  to 
significant  outages  or  disruptions  in  cyberspace. 
Some  organizations  have  plans  for  how  they 
will  recover  their  cyber  network  and  capabilities 
in  the  event  of  a  major  outage  or  catastrophe. 

H  owever,  there  is  no  mechanism  for  coordi¬ 
nating  such  plans  across  an  entire  infrastructure 
or  at  a  national  level. 

T  he  legislation  establishing  DHS  also  provides 
a  trusted  mechanism  for  private  industry  to 
develop  contingency  planning  by  using  the 
voluntary  preparedness  planning  provisions  that 
were  established  in  the  Defense  Production  Act 
of  1950,  as  amended. 

Infrastructure  sectors  are  encouraged  to  establish 
mutual  assistance  programs  for  cybersecurity 
emergendes.  D  oj  and  the  Federal  T  rade 
Commission  should  work  with  thesectorsto  address 
barriers  to  such  cooperation,  as  appropriate.  In 
addition,  D  H  S's Information  Analysisand 
Infrastructure  P  rotection  D  i  rector  ate  will 
coordinate  the  development  and  regular  update  of 
voluntary,  joint  government-  industry  cybersecurity 
contingency  plans,  including  a  plan  for  recovering 
Internet  functions.  (A/R  1-5) 

B.  INFORMATION  SHARING 

1. 1  mprove  and  E  nhance  Public- Private 
I  nformation  Sharing  about  C  yber  Attacks, 

T  hreats,  and  Vulnerabilities 

Successfully  developing  capabilities  for  analysis, 
indications,  and  warnings  requires  a  voluntary 
public- private  information  sharing  effort. The 
voluntary  sharing  of  information  about  such 
incidents  or  attacks  is  vital  to  cybersecurity. 

Real  or  perceived  legal  obstacles  make  some 
organizations  hesitant  to  share  information 
about  cyber  incidents  with  the  government  or 
with  each  other.  F  irst,  some  fear  that  shared 
data  that  is  confidential,  proprietary,  or 
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potentially  embarrassing  could  become  subject 
to  public  examination  when  shared  with  the 
government.  Second,  concerns  about  compet¬ 
itive  advantage  may  impede  information 
sharing  between  companies  within  an  industry. 

F  inally,  in  some  cases,  the  mechanisms  are 
simply  not  yet  in  place  to  allow  efficient  sharing 
of  information. 

The  legislation  establishing  DH  S  provides 
several  specific  mechanisms  intended  to 
improve  two-way  information  sharing.  First,  the 
legislation  encourages  industry  to  share  infor¬ 
mation  with  D  H  S  by  ensuring  that  such 
voluntarily  provided  data  about  threats  and 
vulnerabilities  will  not  be  disclosed  in  a  manner 
that  could  damage  the  submitter.  Second,  the 
legislation  requires  that  the  federal  government 
share  information  and  analysis  with  the  private 
sector  as  appropriate  and  consistent  with  the 
need  to  protect  classified  and  other  sensitive 
national  security  information. 

As  required  by  law,  D  H  S,  in  consultation  with 
appropriate  federal  agencies,  will  establish 
uniform  procedures  for  the  receipt,  care,  and 
storage  by  federal  agencies  of  critical  infra¬ 
structure  information  that  is  voluntarily 
submitted  to  the  government. 

T  he  procedures  will  address  how  the 
Department  will: 

•Acknowledge  the  receipt  of  voluntarily 
submitted  critical  infrastructure  infor¬ 
mation; 

•M  aintain  the  information  as  voluntarily 
submitted  critical  infrastructure  infor¬ 
mation; 

•  E  stablish  protocols  for  the  care  and 
storage  of  such  information;  and 

•  C  reate  methods  for  protecting  the  confi¬ 
dentiality  of  the  submitting  entity  while 
still  allowing  the  information  to  be  used  in 
the  issuance  of  notices  and  warnings  for 
protection  of  the  critical  infrastructure. 


DHS  will  raise  awareness  about  the  removal  of 
impediments  to  information  sharing  about  cyberse¬ 
curity  and  infrastructure  vulnerabilities  between 
thepublicand  private  sectors.  T  he  Department  will 
also  establish  an  infrastructure  protection  program 
office  to  manage  the  information  flow,  including 
the  development  of  protocols  for  how  to  care  for 
"voluntarily  submitted  critical  i nfrastructure  infor¬ 
mation."  (A/R  1-6) 

2.  E  ncou rage  Broader  I  nformation  Sharing  on 
C  ybersecurity 

Nongovernmental  organizations  with  signif¬ 
icant  computing  resources  are  encouraged  to 
take  active  roles  in  information  sharing  organi¬ 
zations.  Corporations,  colleges,  and  universities 
can  play  important  roles  in  detecting  and 
reporting  cyber  attacks,  exploits,  or  vulnerabil¬ 
ities.  In  particular,  both  corporations  and 
institutions  of  higher  learning  can  gain  from 
increased  sharing  on  cyberspace  security  issues. 

P  rograms  such  as  I S A  C  s,  F  B I  I  nf ragard,  or  the 
U  nited  States  Secret  Service  electronic  crimes 
task  forces  can  also  benefit  the  respective 
participants.  Because  institutions  of  higher 
learning  have  vast  computer  resources  that  can 
be  used  as  launch  pads  for  attacks,  colleges  and 
universities  are  encouraged  to  consider  estab¬ 
lishing  an  on-call  point- of- contact  to  Internet 
service  providers  (ISPs)  and  law  enforcement 
officials. 

C  or porati on s  are  encouraged  to  consider  active 
involvement  in  industryw i de programs  to  share 
information  on  IT  security,  including  thepotential 
benefits  of  joining  an  appropriate  I  SAC.  Colleges 
and  universities  are  encouraged  to  consider  estab¬ 
lishing:  (1)  oneor  morelSACsto  deal  with  cyber 
attacksand  vulnerabilities:  and,  (2)  an  on-call 
poi n  t-  of-  con  tact,  to  I  nternet  service  provi  ders  an  d 
law  enforcement  offidalsin  the  event  that  the 
school's  IT  systems  are  discovered  to  be  launching 
cyber  attacks.  (A/R  1-7) 
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Priority  II:  A  National  Cyberspace  Security 
Threat  and  Vulnerability  Reduction 
Program 


M  alicious  actors  in  cyberspace  can  take  many 
forms  including  individuals,  criminal  cartels, 
terrorists,  or  nation  states.  W  hile  attackers  take 
many  forms,  they  all  seek  to  exploit  vulnerabil¬ 
ities  created  by  the  design  or  implementation  of 
software,  hardware,  networks,  and  protocols  to 
achieve  a  wide  range  of  political  or  economic 
effects.  A  s  our  reliance  on  cyberspace  increases 
so  too  does  the  scope  of  damage  that  malicious 
actors  can  impose. 

Waiting  to  act  until  we  learn  that  a  malicious 
actor  is  about  to  exploit  a  particular  vulnera¬ 


bility  is  risky.  Such  warning  information  may 
not  always  be  available.  Even  when  warning 
data  is  available,  remediation  of  some  vulnera¬ 
bilities  may  take  days,  weeks,  or  even  years.  Asa 
result,  vulnerabilities  must  be  identified  and 
corrected  in  critical  networks  before  threats 
surface.  T  he  most  dangerous  vulnerabilities 
must  be  prioritized  and  reduced  in  a  systematic 
fashion. 

A  s  technology  evolves  and  new  systems  are 
introduced,  new  vulnerabilities  emerge. 

0  ur  strategy  cannot  be  to  eliminate  all 
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vulnerabilities,  or  to  deter  all  threats.  Rather,  we 
will  pursue  a  three-  part  effort  to: 

(1)  Reduce  threats  and  deter  malicious 
actors  through  effective  programs  to 
identify  and  punish  them; 

(2)  Identify  and  remediate  those  existing 
vulnerabilities  that  could  create  the  most 
damage  to  critical  systems,  if  exploited; 
and 

(3)  Develop  new  systems  with  less  vulnera¬ 
bility  and  assess  emerging  technologies 
for  vulnerabilities. 

T  he  federal  government  cannot  accomplish 
these  goals  acting  alone.  It  can  only  do  so  in 
partnership  with  state  and  local  governments 
and  the  private  sector.  M  any  federal  agencies 
must  play  a  part  in  this  effort,  which  will  be  led 
and  coordinated  by  D  H  S  as  part  of  its  overall 
vulnerability  reduction  mandate. 

T  he  components  of  this  program  are  discussed 
in  this  section.  T  hey  include  federal  programs 
(both  existing  programs  and  initiatives  that  will 
be  considered  as  part  of  the  budget  decision 
making  process)  and  activities  that  the  federal 
government  recommends  to  its  partners.  M  any 
activities  that  can  betaken  by  individuals, 
companies,  and  other  private  organizations  to 
reduce  vulnerabilities  will  be  stimulated  and 
accelerated  through  awareness  and  are  discussed 
as  part  of  the  awareness  initiative  described  in 
Priority  III. 

A.  REDUCE  THREAT  AND  DETER 
MALICIOUS  ACTORS 

1.  E  nhance  L  aw  E  nforcement's  C  apabilities  for 
Preventing  and  Prosecuting 

T  he  N  ational  Strategy  to  Secure  Cyberspace  is 
especially  concerned  with  those  threats  that 
could  cause  significant  damage  to  our  economy 
or  security  through  actions  taken  using  or 
against  our  cyber  infrastructure.  By  identifying 
threats  that  would  cause  us  significant  harm,  we 


can  reduce  the  threats  to  homeland  security, 
national  security,  and  the  economy.  Law 
enforcement  and  the  national  security 
community  play  a  critical  role  in  preventing 
attacks  in  cyberspace.  Law  enforcement  plays 
the  central  role  in  attributing  an  attack  through 
the  exercise  of  criminal  justice  authorities. 

M  any  cyber-  based  attacks  are  crimes.  Asa 
result  the  J  ustice  D  epartment's  C  omputer 
Crime  and  Intellectual  Property  Section,  the 
FBI's  Cyber  Division,  and  theU.S.  Secret 
Service  all  play  a  central  role  in  apprehending 
and  swiftly  bringing  to  justice  the  responsible 
individuals.  W  hen  incidents  do  occur,  a  rapid 
response  can  stem  the  tide  of  an  ongoing  attack 
and  lessen  the  harm  that  is  ultimately  caused. 

T  he  N  ation  currently  has  laws  and  mechanisms 
to  ensure  quick  responses  to  large  incidents. 
Ideally,  an  investigation,  arrest,  and  prosecution 
of  the  perpetrators,  or  a  diplomatic  or  military 
response  in  the  case  of  a  state- sponsored  action, 
will  follow  such  an  incident. 

Threat  reduction,  however,  involves  more  than 
prosecution.  Analyzing  and  disseminating 
practical  information  gathered  by  law 
enforcement  can  help  promote  national  infra¬ 
structure  security.  For  example,  through  various 
initiatives  such  as  the  FBI  Infragard  program 
and  theU.S.  Secret  Service  electronic  crimes 
task  forces,  law  enforcement  can  share  lessons 
learned  from  attacks  with  private  sector  organi¬ 
zations.  T  he  information  gleaned  from 
investigations  can  provide  the  federal 
government  and  private  industry  a  framework 
for  examining  the  robustness  of  their  cyberse¬ 
curity  skill  sets,  and  assist  in  prioritizing  their 
limited  resources  to  manage  the  unique  risk  of 
their  enterprise. 

Justice  and  the  FBI  will  need  to  work  closely 
with  D  H  S  to  ensure  that  the  information 
gleaned  from  investigations  is  appropriately 
analyzed  and  shared  with  I  SAC  sand  other 
nongovernmental  entities  to  promote  improved 
risk  management  in  critical  infrastructure 
sectors. 
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T  he  N  ation  will  seek  to  prevent,  deter,  and 
significantly  reduce  cyber  attacks  by  ensuring 
the  identification  of  actual  or  attempted  perpe¬ 
trators  followed  by  an  appropriate  government 
response.  I  n  the  case  of  cybercrime  this  would 
include  swift  apprehension,  and  appropriately 
severe  punishment. 

DOJ  and  other  appropriateagenaeswill  develop 
and  implement  efforts  to  reduce  cyber  attacks  and 
cyber  threats  through  the  following  means:  (1) 
identifying  ways  to  improve  information  sharing 
and  investigative  coordination  within  the  federal, 
state,  and  local  law  enforcement  community 
working  on  critical  infrastructure  and  cyberspace 
security  matters,  and  with  other  agencies  and  the 
private  sector;  (2)  exploring  means  to  provide  suffi- 
dentinv esti gati ve and  foren si c  resources  an d 
training  to  fad  iitate  expeditious  investigation  and 
resolution  of  critical  infrastructure inci dents;  and, 
(3)  developing  better  data  about  victims  of  cyber¬ 
crime  and  intrusions  in  order  to  understand  the 
scope  of  the  problem  and  be  able  to  track  changes 
over  time.  (A/R  2-1) 

2.  C  reate  a  Process  for  N  ational  Vulnerability 
A  ssessments  to  B  etter  U  nderstand  the 
Potential  C  onsequences  of  T  hreats  and 
Vulnerabilities 

a.  A  ssess  the  Potential  I  mpact  of  Strategic  C  yber 
Attacks 

To  better  understand  how  to  further  detect  and 
prevent  attacks,  the  N  ation  must  know  the 
threat  it  is  facing.  To  date,  no  comprehensive 
assessment  of  the  impact  of  a  strategic  cyber 
attack  against  the  U  nited  States  has  been 
conducted.  Because  nation  states  and  terrorists 
are  developing  capabilities  for  cyber- based 
attacks,  it  is  important  to  understand  the 
potential  impact  of  such  an  attack  and  possible 
ways  to  mitigate  the  effects.  DH5,  in  coordi¬ 
nation  with  appropriate agendes and  theprivate 
sector,  will  lead  in  the  development  and  conduct  of 
a  national  threat  assessment  induding  red  teaming, 
blue  teaming,  and  other  methods  to  identify  the 


impact  of  possible  attacks  on  a  variety  of  targets. 
(A/R  2-2) 

B.  IDENTIFY  AND  REMEDIATE 
EXISTING  VULNERABILITIES 

Reducing  vulnerabilities  can  be  resource 
intensive.  Accordingly,  our  national  efforts  to 
identify  and  remediate  vulnerabilities  must  be 
focused  to  reduce  vulnerabilities  in  a  cost 
effective  and  systematic  manner.  T  he  U  nited 
States  must  reduce  vulnerabilities  in  four  major 
components  of  cyberspace,  including:  (1)  the 
mechanisms  of  the  I  nternet;  (2)  digital  control 


How  the  Internetworks 

D  ata  sent  from  one  computer  to  another 
across  the  I  nternet  is  broken  into  small 
packets  of  information  containing 
addressing  information  as  well  as  a  portion 
of  the  total  message.  T  he  packets  travel 
across  the  I  nternet  separately  and  are 
reassembled  at  the  receiving  computer. 

T  here  are  two  primary  protocols  that  enable 
these  packets  of  data  to  traverse  the 
complex  networks  and  arrive  in  an  under¬ 
standable  format.  T  hese  protocols  are:  (1) 
theTransmission  Control  Protocol  (TCP) 
which  decomposes  data  into  packets  and 
ensures  that  they  are  reassembled  properly 
at  the  destination;  and  (2)  the  I  nternet 
Protocol  (IP),  which  guides  or  routes  the 
packets  of  data  though  the  I  nternet. 

T ogether  they  are  referred  to  asT C  P/I  P. 

IP  is  essential  to  almost  all  Internet 
activities  including  sending  data  such  as 
e-mail.  Data  is  transmitted  based  on  IP 
addresses,  which  are  a  series  of  numbers. 

T he  D omain  N  ame  System  (D  N  S)  was 
developed  to  simplify  the  management  of 
I P  addresses.  T  he  D  N  S  maps  I P  numbers 
to  recognizable  sets  of  letters,  words  or 
numbers.  T  he  D  N  S  does  this  by  estab¬ 
lishing  domains  and  a  structured 
hierarchical  addressing  scheme. 
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systems/supervisory  control  and  data  acquisition 
systems;  (3)  software  and  hardware  vulnerability 
remediation;  and,  (4)  physical  infrastructure  and 
interdependency.  T  hese  four  areas  have  broad 
implications  for  the  majority  of  the  N  ation's 
critical  infrastructures.  Initiating  efforts  to 
eliminate  vulnerabilities  in  these  important 
areas  will  reduce  the  vulnerability  of  critical 
infrastructure  services  to  attack  or  compromise. 

1.  Secure  the  M  echanisms  of  the  I  nternet 

T  he  development  and  implementation  of  the 
mechanisms  for  securing  the  Internet  are 
responsibilities  shared  by  its  owners,  operators, 
and  users.  Private  industry  is  leading  the  effort 
to  ensure  that  the  core  functions  of  the  I  nternet 
develop  in  a  secure  manner.  As  appropriate,  the 
federal  government  will  continue  to  support 
these  efforts.  T  he  goal  is  the  development  of 
secure  and  robust  mechanisms  that  will  enable 
the  I  nternet  to  support  the  N  ation's  needs  now 
and  in  the  future.  This  will  include  securing  the 
protocols  on  which  the  I  nternet  is  based, 
ensuring  the  security  of  the  routers  that  direct 
the  flow  of  data,  and  implementing  effective 
management  practices. 

a.  I  mprove  the  Security  and  R  ea  lienee  of  Key 
internet  Protocols 

E  ssential  to  the  security  of  the  I  nternet  infra¬ 
structure  is  ensuring  the  reliability  and  secure 
use  of  three  key  protocols:  the  I  nternet  Protocol 
(IP),  the  Domain  Name  System  (DNS),  and 
the  Border  G  ateway  Protocol  (BG  P). 

(i)  I  nternet  Protocol.  T  he  I  nternet  is  currently 
based  on  Internet  Protocol  version  4  (IPv4). 
Some  organizations  and  countries  are  moving 
to  an  updated  version  of  the  protocol,  version  6 
(I  Pv6).  I  Pv6  offers  several  advantages  over 
I P  v4. 1  n  addition  to  offering  a  vast  amount  of 
addresses,  it  provides  for  improved  security 
features,  including  attribution  and  native  I P 
security  (IP  SEC),  as  well  as  enabling  new 
applications  and  capabilities.  Some  countries  are 
moving  aggressively  to  adopt  I  Pv6.  Japan  has 


committed  to  a  fully  I  Pv6  based  infrastructure 
by  2005.  T  he  E  uropean  U  nion  has  initiated 
steps  to  move  to  I  Pv6.  C  hina  is  also  considering 
early  adoption  of  the  protocol. 

T  he  U  nited  States  must  understand  the  merits 
of,  and  obstacles  to,  moving  to  I  Pv6  and,  based 
on  that  understanding,  identify  a  process  for 
moving  to  an  I  Pv6  based  infrastructure. T  he 
federal  government  can  lead  in  developing  this 
understanding  by  employing  I  Pv6  on  some  of 
its  own  networks  and  by  coordinating  its  activ¬ 
ities  with  those  in  the  private  sector.  T he 
D  epartment  of  C  ommercewill  form  a  task  force  to 
examine  the  issues  related  to  IPv6,  including  the 
appropri ate  role  of  government,  i n  ternati on al 
interoperability,  security  in  transition,  and  costs 
and  benefits.  T  he  task  force  will  solia't  input  from 
potentially  impacted  industry  segments.  (A/R  2-3). 

(ii)  Secure  the  D  omain  Name  System.  DNS 

serves  as  the  central  database  that  helps  route 
information  throughout  the  I  nternet.  T  he 
ability  to  route  information  can  be  disrupted 
when  the  databases  cannot  be  accessed  or 
updated  or  when  they  have  been  corrupted. 
Attackers  can  disrupt  the  D  N  S  by  flooding  the 
system  with  information  or  requests  or  by 
gaining  access  to  the  system  and  corrupting  or 
destroying  the  information  that  it  contains.  T  he 
0  ctober  21,  2002  attacks  on  the  core  DNS  root 
servers  revealed  a  vulnerability  of  the  I  nternet 
by  degrading  or  disrupting  some  of  the  13  root 
servers  necessary  for  the  D  N  S  to  function.  T  he 
occurrence  of  this  attack  punctuates  the  urgent 
need  for  expeditious  action  to  make  such 
attacks  more  difficult  and  less  effective. 

(Hi)  Border  Gateway  Protocol.  0  f  the  many 
routing  protocols  in  use  within  the  I  nternet,  the 
Border  G  ateway  Protocol  (BG  P)  is  at  greatest 
risk  of  being  the  target  of  attacks  designed  to 
disrupt  or  degrade  service  on  a  large  scale.  BG  P 
is  used  to  interconnect  the  thousands  of 
networks  that  make  up  the  I  nternet.  It  allows 
routing  information  to  be  exchanged  between 
networks  that  may  have  separate  administrators, 
administrative  policies,  or  protocols. 
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Propagation  of  false  routing  information  in  the 
I  nternet  can  deny  service  to  small  or  large 
portions  of  the  I  nternet.  For  example,  false 
routes  can  create  "black  holes"  that  absorb 
traffic  destined  for  a  particular  block  of  address 
space.  T  hey  can  also  lead  to  cascade  failures 
that  have  occurred  in  other  types  of  large 
routing/switching  systems  in  the  past,  where 
the  failure  of  one  switch  or  mechanism  results 
in  the  failure  of  those  connected  to  it,  resulting 
in  additional  waves  of  failures  expanding 
outward  from  the  initial  fault. 

M  ore  secure  forms  of  BGP  and  DNS  will 
benefit  all  owners,  operators  and  users  of  the 
I  nternet.  T o  address  this  issue,  the  I  nternet 
Engineering  Task  Force,  a  voluntary  private 
body  consisting  of  users,  owners,  and  operators 
of  the  I  nternet,  has  established  working  groups 
for  securing  BG  P  and  D  N  S.  T  hese  groups  have 
made  progress,  but  have  been  limited  by 
technical  obstacles  and  the  need  for  coordi¬ 
nation. 

The  security  and  continued  functioning  of  the 
Internet  will  be  greatly  influenced  by  the 
successor  failure  of  implementing  more  secure 
and  more  robust  BGP  and  DNS.  The  Nation 
has  a  vital  interest  in  ensuring  that  this  work 
proceeds.  T  he  government  should  play  a  role 
when  private  efforts  break  down  due  to  a  need 
for  coordination  or  a  lack  of  proper  incentives. 

b.  Promote  Improved  Internet  R  outing 

Routers  on  the  I  nternet  share  a  number  of 
design  characteristics  that  make  them  relatively 
easy  to  disable,  especially  through  denial-of- 
service  (D  oS)  attacks  that  overwhelm  a  router's 
processing  capability.  I  nternet  routing  can  be 
substantially  improved  by  promoting  increased 
use  of  address  verification  and  "out-of-band" 
management. 

(i)  Address  Verification.  T oday  there  are  few 
effective  solutions  available,  even  commercially, 
to  mitigate  the  effect  of  D  oS  attacks,  as  the 
scale  and  lack  of  address  verification  and 


accountability  makes  filtering  and  contacting 
the  sources  of  an  attack  impossible.  0  ne  of  the 
largest  weaknesses  in  our  current  I  nternet  infra¬ 
structure  is  the  lack  of  source  address 
verification.  Establishing  an  Internet  infra¬ 
structure  that  provides  forged  source  address 
filtering  is  a  critical  step  towards  defeating  these 
types  of  attacks. 

(ii)  Out-of-Band  M  anagement.  D  oS  attacks  are 
difficult  to  mitigate  because  they  prevent 
control  data  from  reaching  the  router.  Separate 
control  networks,  commonly  called  "out-of- 
band"  management  links,  are  one  technique 
that  can  be  used  to  counter  D  oS  attacks. 

D  H  S  will  examine  the  need  for  increased 
research  to  improve  router  security  through  new 
technology  or  approaches  to  routing  infor¬ 
mation.  I  n  particular,  D  H  S  will  assess  progress 
on  out-of-band  management  and  address 
filtering  and  recommend  steps  that  can  be 
taken  by  government  or  the  private  sector  to 
improve  their  effectiveness  and  use.  I  n  addition, 
D  H  S  will  work  with  the  private  sector  to 
understand  the  most  efficient  path  and 
obstacles  to  increasing  router  security  using 
current  techniques  and  technology. 

c  ImproveM  anagement 

M  uch  improvement  can  be  made  in  the  security 
of  the  I  nternet  infrastructure  if  best  practices 
for  managing  the  I  nternet,  including  the  data 
that  flows  through  it  and  the  equi  pment  that 
supports  it,  are  widely  employed.  D  FI  S  will 
work  with  organizations  that  own  and  operate 
the  I  nternet  to  develop  and  promote  the 
adoption  of  best  practices.  I  n  particular,  D  FI  S 
will  work  with  Internet  service  providers  to  help 
develop  a  widely  accepted  "code  of  conduct"  for 
network  management.  T  his  work  will  include  a 
review  of  existing  documented  best  practices 
such  as  those  published  by  Network  Reliability 
and  Interoperability  Council  (NRIC)  of  the 
Federal  Communications  Commission  (FCC). 
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DHS,  in  coordination  with  the  Commerce 
D  epartment  and  appropriate  agencies,  will 
coordinate  public-  private  partnerships  to  encourage: 
(1)  the  adoption  of  improved  security  protocols;  (2) 
the  development  of  more  secure  router  technology; 
and,  (3)  theadoption  bylSPsofa  "codeofgood 
conduct," induding  cyber securi ty  practi ces an d 
security  related  cooperation.  DHS  will  support  these 
efforts  as  required  for  their  success,  subject  to  other 
budget  considerations.  (A/R  2-4) 

2.  Foster T rusted  D  igital  C  ontrol  Systems/ 
Supervisory  C  ontrol  and  D  ata  Acquisition 
Systems 

M  any  industries  in  America  have  radically 
transformed  the  way  they  control  and  monitor 
equipment  over  the  last  20  years  by  employing 
digital  control  systems  (DCS)  and  supervisory 
control  and  data  acquisition  systems  (SC ADA). 
D  C  S/SC  A  D  A  are  computer-  based  systems  that 
are  used  by  many  infrastructures  and  industries 
to  remotely  control  sensitive  processes  and 
physical  functions  that  once  had  to  be 
controlled  manually.  DCS  and  SCADA  are 
present  in  almost  every  sector  of  the  economy 
including  water,  transportation,  chemicals, 
energy,  and  manufacturing,  among  others. 
Increasingly  DCS/SC  ADA  systems  use  the 
I  nternet  to  transmit  data  rather  than  the  closed 
networks  used  in  the  past. 

Securing  DCS/SCADA  is  a  national  priority. 

D  isruption  of  these  systems  can  have  significant 
consequences  for  public  health  and  safety. 

H  owever,  securing  these  systems  is  complicated 
by  various  factors.  First,  adding  security  requires 
investment  in  systems  and  in  research  and 
development  that  companies  cannot  afford  or 
justify  on  their  own.  Such  research  may  require 
the  involvement  of  multiple  infrastructure 
operators  or  industries.  Second,  current  techno¬ 
logical  limitations  could  impede  the 
implementation  of  security  measures.  For 
example,  DCS/SCADA  systems  are  typically 
small  and  self-contained  units  with  limited 
power  supplies.  Security  features  are  not  easily 
adapted  to  the  space  or  power  requirements.  I  n 


addition,  these  systems  operate  in  real  time  and 
security  measures  could  reduce  performance  or 
impact  the  synchronization  of  larger  processes. 

Both  the  private  and  public  sectors  have  a  role 
in  securing  SCA  D A  systems.  D  FI  S,  in  coordi¬ 
nation  with  the  D  epartment  of  E  nergy  and 
other  concerned  agencies,  will  work  in 
partnership  with  private  industry  to  ensure  that 
there  is  broad  awareness  among  industry 
vendors  and  users,  both  regulated  and  unregu¬ 
lated,  of  the  vulnerabilities  in  DCS/SCADA 
systems,  and  the  consequences  of  exploitation  of 
those  vulnerabilities.  For  operators  of 
D  C  S/SC  ADA  systems,  these  efforts  should 
include  developing  and  deploying  training  and 
certification  of  D  C  S/SC  ADA-oriented 
software  and  hardware  security.  I  n  addition, 

D  FI  S  will  work  with  the  private  sector  to 
promote  voluntary  standards  efforts,  and 
security  policy  creation. 

T  he  development  of  adequate  test  bed  environ¬ 
ments  and  the  development  of  technology  in 
the  areas  of  extremely  low  latency  link 
encryptors/ authenticators,  key  management, 
and  network  status/ state- of- health  monitoring 
will  aid  in  the  effort  to  secure  DCS/SCADA. 
DHS,  in  coordination  with  DOE  and  other 
concerned  agen desand  in  partnership  with 
industry,  will  develop  best  practicesand  new 
tedin  ol  ogy  to  i  n  crease  security  of  D  C  S/SC  AD  A,  to 
deter  mi  n  e  the  most  cri  ti  cal  DCS/SCADA- related 
sites,  and  to  develop  a  prioritized  plan  for  short¬ 
term  cybersecurity  improvements  in  those  sites. 

(A/R  2-5) 

3.  Reduce  and  Remediate  Software 
Vulnerabilities 

A  third  critical  area  of  national  exposure  is  the 
many  flaws  that  exist  in  critical  infrastructure 
due  to  software  vulnerabilities.  New  vulnerabil¬ 
ities  emerge  daily  as  use  of  software  reveals 
flaws  that  malicious  actors  can  exploit. 

C  urrently,  approximately  3,500  vulnerabilities 
are  reported  annually.  Corrections  are  usually 
completed  by  the  manufacturer  in  the  form  of  a 
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patch  and  made  available  for  distribution  to  fix 
the  flaws. 

M  any  known  flaws,  for  which  solutions  are 
available,  remain  uncorrected  for  long  periods  of 
time.  For  example,  the  top  ten  known  vulnera¬ 
bilities  account  for  the  majority  of  reported 
incidents  of  cyber  attacks.  T  his  happens  for 
multiple  reasons.  M  any  system  administrators 
may  lack  adequate  training  or  may  not  have 
time  to  examine  every  new  patch  to  determine 
whether  it  applies  to  their  system.  T  he  software 
to  be  patched  may  affect  a  complex  set  of  inter¬ 
connected  systems  that  take  a  long  time  to  test 
before  a  patch  can  be  installed  with  confidence. 
If  the  systems  are  critical,  it  could  be  difficult  to 
shut  them  down  to  install  the  patch. 

Unpatched  software  in  critical  infrastructures 
makes  those  infrastructures  vulnerable  to 
penetration  and  exploitation.  Software  flaws  are 
exploited  to  propagate  "worms"  that  can  result 
in  denial  of  service,  disruption,  or  other  serious 
damage.  Such  flaws  can  be  used  to  gain  access 
to  and  control  over  physical  infrastructure. 

I  mproving  the  speed,  coverage,  and  effec¬ 
tiveness  of  remediation  of  these  vulnerabilities 
is  important  for  both  the  public  and  private 
sector. 

Several  steps  will  help.  First,  the  Nation  needs  a 
better- defined  approach  to  the  disclosure  of 
vulnerabilities.  The  issue  is  complex  because 
exposing  vulnerabilities  both  helps  speed  the 
development  of  solutions  and  also  creates 
opportunities  for  would  be  attackers.  I  n 
addition,  the  clearinghouse  for  such  disclosures 
must  be  a  neutral  body  between  vendors, 
security  companies,  and  the  public  at  large. 

T oday  the  government  partially  funds  such 
organizations.  H  owever,  the  appropriate  level 
and  form  for  this  funding  need  to  be  reviewed. 

D  H  5  will  work  with  the  National  Infrastructure 
Advisory  Cound I  and  private  sector  organizations 
to  develop  an  optimal  approach  and  mechanism  for 
vulnerability  disdosure.  (A/R  2-6) 


A  second  step  that  will  speed  the  distribution  of 
patches  in  software  systems  is  the  creation  of 
common  test-beds.  Such  test-beds  running 
applications  that  are  common  among 
government  agencies  or  companies  can  speed 
patch  implementation  bytesting  onetime,  for 
many  users,  the  impact  that  a  patch  will  have 
on  a  variety  of  applications.  GSA  will  work  with 
DHS  on  an  improved  approach  to  implementing  a 
patch  dearinghouse  for  the  federal  government. 
DHS  will  also  share  lessons  learned  with  the 
privatesector  and  encourage  the  development  of  a 
voluntary,  industry- led,  national  effort  to  devdop 
a  similar  dearinghouse  for  other  sectors  including 
large  enterprises.  (A/R  2-7) 

F  inally,  best  practices  in  vulnerability  remedi¬ 
ation  should  be  established  and  shared  in  areas 
such  as  training  requirements  for  system 
administrators,  the  use  of  automated  tools,  and 
management  processes  for  patch  implemen¬ 
tation.  D  H  S  will  work  with  public  and  private 
entities  on  the  development  and  dissemination 
of  such  practices.  M  ore  secure  initial  configura¬ 
tions  for  shipped  cyber  products  would  facilitate 
more  secure  use  by  making  the  default  set-up 
secure  rather  than  insecure.  T  he  software 
industry  is  encouraged  to  consider  promoting  more 
secure  “out-  of-  the-  box"  installation  and  implemen¬ 
tation  of  their  products,  induding  increasing:  (1) 
user  aw  aren ess  of  the  securi  ty  features  i n  products; 
(2)  ease  of-  use  for  security  functions;  and,  (3) 
where  feasible,  promotion  of  industry  guiddines  and 
best  practices  that  support  such  efforts.  (A/R  2-8) 

4.  U  nderstand  I  nfrastructure  I  nterdependency 
and  I  mprove  Physical  Security  of  C  yber 
Systems  and  T elecommunications 

Reducing  the  vulnerability  of  the  cyber  infra¬ 
structure  includes  mitigating  the  potentially 
devastating  attacks  on  cyberspace  that  can  occur 
when  key  physical  linkages  are  destroyed.  T  he 
impact  of  such  attacks  can  be  amplified  by 
cascading  impacts  through  a  variety  of 
dependant  infrastructures  affecting  both  the 
economy  and  the  health  and  welfare  of  citizens: 
a  train  derailed  in  a  Baltimore  tunnel  and  the 
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I  nternet  slowed  in  C  hicago;  a  campfire  in  N  ew 
M  exico  damaged  a  gas  pipeline  and  IT-related 
production  halted  in  Silicon  Valley;  a  satellite 
spun  out  of  control  hundreds  of  miles  above  the 
Earth  and  affected  bank  customers  could  not 
use  their  AT  M  s. 

Cyberspace  has  physical  manifestations:  the 
bui  Idi  ngs  and  conduits  that  support  telecom¬ 
munications  and  I  nternet  networks.  T  hese 
physical  elements  have  been  designed  and  built 
to  create  redundancy  and  avoid  single  points  of 
failure.  N  onetheless,  the  carriers  and  service 
providers  are  encouraged  to  independently  and 
collectively  continue  to  analyze  their  networks 
to  strengthen  reliability  and  intentional  redun¬ 
dancy.  T  he  F  C  C ,  through  its  N  etwork 
Reliability  and  I  nteroperability  Council,  and  the 
N  ational  Security  Telecommunications 
Advisory  C  ommittee,  can  contribute  to  such 
efforts  and  should  identify  any  governmental 
impediments  to  strengthening  the  national 
networks. 

D  H  S  will  work  actively  to  reduce  interdepen¬ 
dencies  and  physical  vulnerability.  DHS  will 
establish  and  lead  a  public- private  partnership  to 
identify  cross-sectoral  interdepen  den  ci  es,  both  cyber 
and  physical.  T  he  partnership  will  develop  plans  to 
reduce  related  vulnerabilitiesin  conjunction  with 
programs  proposed  in  the  National  Strategy  for 
H  omeland  Security.  T  he  National  Infrastructure 
Simulation  and  Analysis  Center  in  DHS  will 
support  these  efforts  by  developing  models  to 
identify  the  impact  of  cyber  and  physical  interde¬ 
pendencies.  (A/R  2-9) 

DHS  also  will  support,  when  requested  and  as 
appropriate,  voluntary  efforts  by  owners  and 
operators  of  information  system  networksand 
network  data  centers  to  de/elop  remediation  and 
contingency  plans  to  reduce  the  consequences  of 
large  scale  physical  damage  to  fad  I  i  ties  supporting 
such  networks  and  to  develop  appropriateproce 
duresfor  limiting  acoessto  critical  fadlities. 

(A/R  2-10) 


C.  DEVELOP  SYSTEMS  WITH  FEWER 
VULNERABILITIES  AND  ASSESS 
EMERGING  TECHNOLOGIES  FOR 
VULNERABILITIES 

A  s  the  N  ation  takes  steps  to  improve  the 
security  of  current  systems,  it  must  also  ensure 
that  future  cyber  systems  and  infrastructure  are 
built  to  be  secure.  This  will  become  increasingly 
important  as  more  and  more  of  our  daily 
economic  and  physical  lives  come  to  depend  on 
cyber  infrastructure.  Future  security  requires 
research  in  cyberspace  security  topics  and  a 
commitment  to  the  development  of  more  secure 
products. 

1.  Prioritize  the  Federal  Research  and 
D  evelopment  A  genda 

Federal  investment  in  research  for  the  next 
generation  of  technologies  to  maintain  and 
secure  cyberspace  must  keep  pace  with  an 
increasing  number  of  vulnerabilities.  Flexibility 
and  nimbleness  are  important  in  ensuring  that 
the  research  and  development  process  accom¬ 
modates  the  dynamic  technology  environment 
in  the  years  ahead. 

T  he  N  ation  will  prioritize  and  provide  resources 
as  necessary  to  advance  the  research  to  secure 
cyberspace.  A  new  generation  of  enabling 
technologies  will  serve  to  "modernize"  the 
I  nternet  for  rapidly  growing  traffic  volumes, 
expanded  e-commerce,  and  the  advanced  appli¬ 
cations  that  will  be  possible  only  when 
next- generation  networks  are  widely  available. 
Asa  result,  national  research  efforts  must  be 
prioritized  to  support  the  transition  of  cyber¬ 
space  into  a  secure,  high-speed  knowledge  and 
communications  infrastructure  for  this  century. 

V  ital  research  is  required  for  this  effort.  T  he 
N  ation  must  prioritize  its  cyberspace  security 
research  efforts  across  all  sectors  and  funding 
sources. 

T o  meet  these  needs,  the  D  i rector  of  0 ST  P  will 
coordinate  the  development,  and  update  on  an 
annual  basis,  a  federal  government  research  and 
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development  agenda  that  indudes  near-term  (1-3 
years),  mid-term  (3-5  years),  and  later  (5  years  out 
and  longer)  IT  security  research  for  Fiscal  Year 
2004  and  beyond.  Existing  priorities  indude, 
among  others,  intrusion  detection,  Internet  infra¬ 
structure  security  (including  protocols  such  as  BGP 
and  DNS),  application  security,  D  oS,  commu ni ca¬ 
tions  security  (induding  SCAD  A  system  encryption 
and  authentication),  high- assurance  systems,  and 
secure  system  composition.  (A/R  2-11) 

T o  opti mize  research  efforts  relati  ve  to  those  of  the 
private  sector,  DHS  will  ensurethat  adequate 
mechanisms  exist  for  coordination  of  research  and 
development  among  academia,  industry,  and 
government,  and  will  devdop  new  mechanisms 
where  needed.  (A/R  2-12) 

A  n  important  goal  of  cybersecurity  research  will 
be  the  development  of  highly  secure,  trust¬ 
worthy,  and  resilient  computing  systems.  I  n  the 
future,  working  with  a  computer,  the  I  nternet, 
or  any  other  cyber  system  may  become  as 
dependable  as  turni  ng  on  the  lights  or  the 
water. 

T  he  N  ation  must  seek  to  ensure  that  future 
components  of  the  cyber  infrastructure  are  built 
to  be  inherently  secure  and  dependable  for  their 
users.  D  evelopment  of  highly  secure  and 
reliable  systems  will  be  pursued,  subject  to 
budgeting  constraints,  through  the  national 
cyberspace  security  research  agenda. 

T  he  private  sector  is  encouraged  to  consider 
induding  in  near-term  research  and  development 
priorities,  programs  for  highly  secure  and  trust¬ 
worthy  operating  systems.  I  f  such  systems  are 
developed  and  successfully  evaluated,  the  federal 
government  will,  subject  to  budget  con  si  derations, 
accelerate  procurement  of  such  systems.  (A/R  2-13) 

In  addition,  DHS  will  fad  I  itate  a  national  public- 
privateeffort  to  promulgate  best  pradticEsand 
methodologies  that  promote  integrity,  security,  and 
reliability  in  software  code  development,  induding 


processes  and  procedures  that  diminish  the  possibil¬ 
ities  of  erroneous  code,  maiidousoode,  or  trap  doors 
that  could  be  introduced  during  development. 

(A/R  2-14) 

2.  A  ssess  and  Secure  E  merging  Systems 

A  s  new  technologies  are  developed  they 
introduce  the  potential  for  new  security  vulner¬ 
abilities.  Some  new  technologies  introduce 
security  weaknesses  that  are  only  corrected  over 
time,  with  great  difficulty,  or  sometimes  not  at 
all.  A  person  driving  in  a  car  around  a  city,  for 
example,  can  access  many  wireless  local  area 
networks  without  the  knowledge  of  thei  r 
owners  unless  strong  security  measures  are 
added  to  those  systems. 

As  telephones  and  personal  digital  assistants, 
and  many  other  mobile  devices,  incorporate 
more  sophisticated  operating  systems  and 
connectivity  they  may  require  security  features 
to  prevent  their  exploitation  for  distributed 
attacks  on  mobile  networks  and  even  the 
I  nternet. 

E  merging  areas  of  research  also  can  produce 
unforeseen  consequences  for  security.  T  he 
emergence  of  optical  computing  and  intelligent 
agents,  as  well  as  in  the  longer  term,  develop¬ 
ments  in  areas  such  as  nanotechnology  and 
quantum  computing,  among  others,  will  likely 
reshape  cyberspace  and  its  security.  T  he  N  ation 
must  be  at  the  leading  edge  in  understanding 
these  technologies  and  their  implications  for 
security. 

DHS,  in  coordination  with  OST  P  and  other 
agendes,  as  appropriate,  will  fad  I  itate  communi¬ 
cation  between  the  public  and  private  research  and 
the  security  communities,  to  ensurethat  emerging 
technologies  are  periodically  reviewed  by  the  appro¬ 
priate  body  within  theN  ational  Sdenceand 
Technology  Cound  I,  in  thecontext  of  posable 
homeland  and  cyberspace  security  implications,  and 
relevance  to  the  federal  research  agenda.  (A/R  2-15) 
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Priority  III:  A  National  Cyberspace 
Security  Awareness  and  Training  Program 


E  veryone  who  relies  on  part  of  cyberspace  is 
encouraged  to  help  secure  the  part  of  cyber¬ 
space  that  they  can  influence  or  control. 

To  do  that,  users  need  to  know  the  simple 
things  that  they  can  do  to  help  to  prevent 
intrusions,  cyber  attacks,  or  other  security 
breaches.  A II  users  of  cyberspace  have  some 
responsibility,  not  just  for  their  own  security, 
but  also  for  the  overall  security  and  health  of 
cyberspace. 

In  addition  to  the  vulnerabilities  in  existing 
information  technology  systems,  there  are  at 
least  two  other  major  barriers  to  users  and 
managers  acting  to  improve  cybersecurity: 

(1)  a  lack  of  familiarity,  knowledge,  and 


understanding  of  the  issues;  and  (2)  an  inability 
to  find  sufficient  numbers  of  adequately  trained 
and/or  appropriately  certified  personnel  to 
create  and  manage  secure  systems. 

A  mong  the  components  of  this  priority  are  the 
following: 

•  Promote  a  comprehensive  national 
awareness  program  to  empower  all 
A  mericans—  businesses,  the  general 
workforce,  and  the  general  population — 
to  secure  their  own  parts  of  cyberspace; 

•  Foster  adequate  training  and  education 
programs  to  support  the  N  ation's  cyberse¬ 
curity  needs; 
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•  I  ncrease  the  efficiency  of  existing  federal 
cybersecurity  training  programs;  and 

•  Promote  private  sector  support  for  well- 
coordinated,  widely  recognized 
professional  cybersecurity  certification. 

Key  to  any  successful  national  effort  to  enhance 
cybersecurity  must  be  a  national  effort  to  raise 
awareness  (of  users  and  managers  at  all  levels) 
and  maintain  an  adequate  pool  of  well  trained 
and  certified  IT  security  specialists.  The  federal 
government  cannot  by  itself  create  or  manage 
all  aspects  of  such  an  effort.  It  can  only  do  so  in 
partnership  with  industry,  other  governments, 
and  nongovernmental  actors. 

M  any  federal  agencies  must  play  a  part  in  this 
effort,  which  will  be  led  and  coordinated  by 
D  H  S.  T  he  components  of  this  program  will 
include  the  following  federal  programs  (both 
existing  programs  and  initiatives  which  will  be 
considered  as  part  of  the  budget  decision 
making  process)  and  activities,  which  we 
recommend  to  our  partners. 

A.  AWARENESS 

1.  Promote  a  C  omprehensive  N  ational 
Awareness  Program  to  E  m power  A II 
A  mericans-  B  usi nesses,  the  G  eneral 
W  orkforce,  and  the  G  eneral  Population— 
to  Secure  their  0  wn  Parts  of  C  yberspace 

I  n  many  cases  solutions  to  cybersecurity  issues 
exist,  but  the  people  who  need  them  do  not 
know  they  exist  or  do  not  know  how  or  where 
to  find  them.  I  n  other  cases  people  may  not 
even  be  aware  of  the  need  to  make  a  network 
element  secure.  A  small  business,  for  example, 
may  not  realize  that  the  configuration  of  its  web 
server  uses  a  default  password  that  allows 
anyone  to  gain  control  of  the  system.  E  ducation 
and  outreach  play  an  important  role  in  making 
users  and  operators  of  cyberspace  sensitive  to 
security  needs.  T  hese  activities  are  an  important 
part  of  the  solution  for  almost  all  of  the  issues 
discussed  in  the  National  Strategy  to  Secure 


Cyberspace,  from  securing  digital  control  systems 
in  industry,  to  securing  broadband  I  nternet 
access  at  home. 

DHS,  working  in  coordination  with  appropriate 
federal,  state,  and  local  entities  and  private  sector 
organizations,  will  facilitate  a  comprehensive 
awareness  campaign  including  audience- sped  fic 
awareness  materials,  expansion  of  the 
StaySafeO nli ne  campaign,  and  development  of 
awards  programs  for  thosein  industry  making 
significant  contributions  to  security.  (A/R  3-1) 

I  ncreasing  awareness  and  education  prepares 
private  sectors,  organizations,  and  individuals  to 
secure  thei  r  parts  of  cyberspace.  A  ctions  taken 
by  one  entity  on  a  network  can  immediately 
and  substantially  affect  one  or  many  others. 
Because  the  insecurity  of  one  participant  in 
cyberspace  can  have  a  major  impact  on  the 
others,  the  actions  they  take  to  secure  their  own 
networks  contribute  to  the  security  of  the 
whole.  For  example,  a  few  subverted  servers 
recently  enabled  an  attack  on  some  of  the 
I  nternet  D  omain  N  ame  System  root  servers 
and  threatened  to  disrupt  service  for  many 
users.  T  hrough  improved  awareness  the  N  ation 
can  stimulate  actions  to  secure  cyberspace  by 
creating  an  understanding  at  all  audience  levels 
of  both  cybersecurity  issues  and  solutions.  DHS 
will  lead  an  effort  to  increase  cybersecurity 
awareness  for  key  audiences: 

a.  H  ome  Users  and  Small  B  usi  ness 

H  ome  users  and  small  business  are  not  part  of 
the  critical  infrastructures.  H  owever,  their 
systems  are  being  increasingly  subverted  by 
malicious  actors  to  attack  critical  systems. 

T  herefore,  increasing  the  awareness  about 
cybersecurity  among  these  users  contributes  to 
greater  infrastructure  security.  H  ome  users  and 
small  business  owners  of  cyber  systems  often 
start  with  the  greatest  knowledge  gap  about 
cybersecurity. 

D  H  S,  in  coordination  with  other  agencies  and 
private  organizations,  will  work  to  educate  the 
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general  public  of  home  users,  students,  children, 
and  small  businesses  on  basic  cyberspace  safety 
and  security  issues.  A  s  part  of  these  efforts, 

D  H  S  will  partner  with  the  D  epartment  of 
Education  and  state  and  local  governments  to 
elevate  the  exposure  of  cybersecurity  issues  in 
primary  and  secondary  schools.  I  n  addition,  the 
Federal  Trade  Commission  will  continue  to 
provide  information  on  cybersecurity  for 
consumers  and  small  businesses  through 
http://www.ftc.gov/infosecurity. 

DHS,  in  coordination  with  the  D  epartment  of 
Education,  will  encourage  and  support,  where 
appropriate  subject  to  budget  considerations,  state, 
local,  and  privateorganizationsin  the  development 
of  programs  and  guidelines  for  primary  and 
secondary  school  students  In  cybersecurity.  (A/R  3-2) 

I  n  recent  years,  with  the  spread  of  "always  on" 
connections  for  systems,  such  as  cable  modems, 
digital  subscriber  lines  (D  SL ),  and  wireless  and 
satellite  systems,  the  security  of  home  user  and 
small  business  systems  has  become  more 
important  not  only  to  the  users  themselves,  but 
to  others  to  which  they  are  connected  through 
the  I  nternet.  For  example,  these  connections 
generally  mean  that  larger  amounts  of  data  can 
be  sent  and  done  so  in  a  continuous  stream. 

T  hese  two  factors  can  be  exploited  and  used  to 
attack  other  systems,  possibly  even  resulting  in 
nationally  significant  damage.  T  he  I  nternet 
service  providers,  antivirus  software  companies, 
and  operating  system/application  software 
developers  that  provide  services  or  products  to 
home  users  and  small  businesses  can  help  raise 
their  awareness  of  cybersecurity  issues. 

H  ome  users  and  small  businesses  on  help  the 
N  ation  secure  cyberspace  by  securing  their  own 
oonnectionstoit.  Installing  firewall  software  and 
updating  it  regularly,  maintaining  current 
antivirus  software,  and  regularly  updating 
operating  systems  and  major  applications  with 
security  enhancements  are  actions  that  individuals 
and  enterprise  operators  can  take  to  help  secure 
cyberspace.  Tofadlitatesuch  actions,  DHS  will 
create  a  public-  private  task  force  of  private 


companies,  organizations,  and  consumer  users 
groups  to  i  den  ti  fy  w  ays  that  provi  ders  of  i  n  for¬ 
mation  technology  products  and  services,  and  other 
organizationscan  makeit  easier  for  home  users  and 
small  businesses  to  secure  their  systems.  (A/R  3-3) 

b.  L  argeE  nterprises 

T  he  security  of  large  enterprises  is  important 
not  only  to  individual  businesses,  but  to  the 
N  ation  as  a  whole.  L  arge  enterprises  own  major 
cyber  networks  and  computing  systems  that,  if 
not  secure,  can  be  exploited  for  attacks  on  other 
businesses  in  an  increasingly  interconnected 
economy,  and  could,  in  the  case  of  a  massive 
attack,  have  major  economic  consequences.  T  he 
cybersecurity  of  large  enterprises  can  be 
improved  through  strong  management  to 
ensure  that  best  practices  and  efficient 
technology  are  being  employed,  especially  in  the 
areas  of  configuration  management,  authenti¬ 
cation,  training,  incident  response,  and  network 
management.  DHS  will  continue  the  work  of 
sensitizing  the  owners  of  these  networks  to 
their  vulnerabilities  and  what  can  be  done  to 
mitigate  them.  DHS,  working  with  other 
government  agencies  and  private  sector  organi¬ 
zations,  will  build  upon  and  expand  existing 
efforts  to  direct  the  attention  of  key  corporate 
decision  makers  (e.g.,  C  E  0  s  and  members  of 
boards  of  directors)  to  the  business  case  for 
securing  their  companies'  information  systems. 

D  ecision  makers  can  take  a  variety  of  steps  to 
improve  the  security  of  their  enterprise 
networks  and  to  ensure  that  their  networks 
cannot  be  maliciously  exploited.  Large  enter¬ 
prises  are  encouraged  to  evaluate  the  securi  ty  of 
their  netw  orks  that  impact  the  securi  ty  of  the 
N  ation 's critical  infrastructures.  Such  evaluations 
might  indude:  (1)  conducting  audits  to  ensure  effec¬ 
tiveness  and  use  of  best  practices;  (2)  developing 
con  ti  n  ui  ty  plansw  hi  ch  con  sider  off  si  te  staff  an  d 
equipment;  and,  (3)  parti d pad ng  in  industrywide 
information  sharing  and  best  practice  dissemi¬ 
nation.  (A/R  3-4) 
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(i)  Insider  Threats.  M  any  cyber  attacks  on  enter¬ 
prise  systems  are  perpetrated  by  trusted 
"insiders."  I  nsiders  are  people  trusted  with  legit¬ 
imate  access  rights  to  enterprise  information 
systems  and  networks.  Such  trusted  individuals 
can  pose  a  significant  threat  to  the  enterprise 
and  beyond.  T  he  insider  threat  poses  a  key  risk 
because  it  provides  a  potential  avenue  for 
individuals  who  seek  to  harm  the  N  ation  to 
gain  access  to  systems  that  could  support  their 
malicious  objectives.  Effectively  mitigating  the 
insider  threat  requires  policies,  practices,  and 
continued  training.  Three  common  policy  areas 
which  can  reduce  insider  threat  include:  (1) 
access  controls,  (2)  segregation  of  duties,  and, 

(3)  effective  policy  enforcement. 

•  Poor  access  controls  enable  an  individual 
or  group  to  inappropriately  modify, 
destroy,  or  disclose  sensitive  data  or 
computer  programs  for  purposes  such  as 
personal  gain  or  sabotage. 

•  Segregation  of  duties  is  important  in 
assuring  the  integrity  of  an  enterprise's 
information  system.  N  o  one  person  should 
have  complete  control  of  any  system. 

•  E  ffective  enforcement  of  an  enterprise 
security  policy  can  be  challenging  and 
requires  regular  auditing.  New  automated 
software  is  beginning  to  emerge  which  can 
facilitate  efficient  enforcement  of  enter¬ 
prise  security.  T  hese  programs  allow  the 
input  of  policy  in  human  terms,  trans¬ 
lation  to  machine  code,  and  then 
monitoring  at  the  packet  level  of  all  data 
transactions  within,  and  outbound  from, 
the  network.  Such  software  can  detect  and 
stop  inappropriate  use  of  networks  and 
cyber- based  resources. 

c  InstitutionsofH  igher  E  ducation  (IHEs) 

Awareness  plays  an  especially  important  role  in 
increasing  the  cybersecurity  of  I H  E  s.  A  s  recent 
experience  has  shown,  organized  attackers  have 
collectively  exploited  many  insecure  computer 
systems  traceable  to  the  campus  networks  of 


higher  education  as  a  platform  from  which  to 
launch  denial -of- service  attacks  and  other 
threats  to  unrelated  systems  on  the  I  nternet. 
Such  attacks  harm  not  only  the  targeted 
systems,  but  also  the  owners  of  those  systems 
and  those  who  desire  to  use  their  services.  IHEs 
are  subject  to  exploitation  for  two  reasons:  (1) 
they  possess  vast  amounts  of  computing  power; 
and  (2)  they  allow  relatively  open  access  to 
those  resources.  T  he  computing  power  owned 
by  I H  E  s  is  extensive,  covering  over  3,000 
schools,  many  with  research  and  significant 
central  computing  facilities. 

T  he  higher  education  community,  collectively, 
has  been  actively  engaged  in  efforts  to  organize 
its  members  and  coordinate  action  to  raise 
awareness  and  enhance  cybersecurity  on 
America's  campuses.  M  ost  notably,  through 
E  D  U CAUSE ,  the  community  has  raised  the 
issue  of  the  Strategy's  development  with  top 
leaders  of  higher  education,  including  the 
American  Council  on  Education  and  the 
H  igher  Education  IT  Alliance.  Significantly, 
through  this  effort,  top  university  presidents 
have  adopted  a  5- point  Framework  for  Action 
that  commits  them  to  giving  IT  security  high 
priority  and  to  adopting  the  policies  and 
measures  necessary  to  realize  greater  system 
security: 

(1)  M  ake  IT  security  a  priority  in  higher 
education; 

(2)  Revise  institutional  security  policy  and 
improve  the  use  of  existing  security 
tools; 

(3)  I  mprove  security  for  future  research  and 
education  networks; 

(4)  I  mprove  collaboration  between  higher 
education,  industry,  and  government; 
and 

(5)  I  ntegrate  work  in  higher  education  with 
the  national  effort  to  strengthen  critical 
infrastructure. 
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C  olleges  and  uni versi ties  are  encouraged  to  secure 
their  cyber  systems  by  establishing  some  or  all  of  the 
following  as  appropriate:  (1)  oneor  morelSACsto 
deal  with  cyber  attacks  and  vulnerabilities;  (2) 
model  gui delines  empowering  Chief  I n  formation 
Officers  (Cl  Os)  to  address  cybersecurity;  (3)  oneor 
more  sets  of  best  practi  oasfor  IT  securi  ty;  and,  (4) 
model  user  awareness  programs  and  materials. 

(A/R  3-5) 

d.  Private  Sectors 

D  H  S  will  work  with  private  sectors  on  general 
awareness  as  well  as  on  specific  issues  impacting 
particular  sectors.  Private  sectors  own  and 
operate  the  vast  majority  of  the  N  ation's  cyber¬ 
space.  A  s  long  time  partners  in  the  effort  to 
secure  cyberspace,  many  sectors  have  developed 
plans  in  parallel  with  the  National  Strategy  to 
Secure  Cyberspace  to  help  secure  their  critical 
infrastructures.  T  he  sectors  can  serve  a  vital  role 
in  the  reduction  of  vulnerabilities  by  creating 
sector- wide  awareness  of  issues  that  affect 
multiple  members.  M  embers  can  develop  and 
share  best  practices  and  work  together  toward 
common  security  solutions.  For  example, 

SC  A  DA  systems  are  a  widespread  security  issue 
in  the  energy  sector.  Solutions  are  being  coordi¬ 
nated  with  the  D  epartment  of  E  nergy  and 
across  the  sector.  T  he  sectors  also  play  a  role  in 
the  identification  of  research  needs.  D  H  S  will 
closely  coordinate  with  private  sectors  on  plans 
and  initiatives  to  secure  cyberspace. 

A  public- private  partnership  should  continuework 
in  helping  to  secure  the  N  ation's  cyber  infrastructure 
through  partiapation  in,  as  appropriate  and 
feasible,  a  technology  and  R&  D  gap  analysis  to 
provide  input  into  the  federal  cybersecurity  research 
agenda,  coordination  on  the  conduct  ofassodated 
research,  and  the  development  and  dissemination  of 
best  practices  for  cybersecurity.  (A/R  3-6) 

a  State  and  Local  G  overnments 

D  H  S  will  implement  plans  to  focus  key 
decision  makers  in  state  and  local  govern¬ 
ments— such  as  governors,  state  legislatures, 


mayors,  city  managers,  and  county  commis¬ 
sioners/boards  of  supervisors— to  support 
investment  in  information  systems  security 
measures  and  adopt  enforceable  management 
policies  and  practices. 

B. TRAINING 

I  n  addition  to  raising  general  awareness,  the 
N  ation  must  focus  resources  on  training  a 
talented  and  innovative  pool  of  citizens  that  can 
specialize  in  securing  the  infrastructure.  W  hile 
the  need  for  this  pool  has  grown  quickly  with 
the  expansion  of  the  I  nternet  and  the  perva¬ 
siveness  of  computers,  networks,  and  other 
cyber  devices,  the  investment  in  training  has 
not  kept  pace.  U  niversities  are  turning  out 
fewer  engineering  graduates,  and  much  of  their 
resources  are  dedicated  to  other  subjects,  such 
as  biology  and  life  sciences.  T  his  trend  must  be 
reversed  if  the  U  nited  States  is  to  lead  the 
world  with  its  cyber  economy. 

1.  Foster  Adequate  Training  and  Education 
Programs  to  Support  the  N  ation's 
C  ybersecurity  N  eeds 

I  mprovements  in  cybersecurity  training  will  be 
accomplished  primarily  through  the  work  of 
private  training  organizations,  institutions  of 
learning,  and  the  N  ation's  school  systems. 

D  H  S  will  also  encourage  private  efforts  to 
ensure  that  adequate  opportunities  exist  for 
continuing  education  and  advanced  training  in 
the  workplace  to  maintain  high  skills  standards 
and  the  capacity  to  innovate. 

T  he  federal  government  can  play  a  direct  role  in 
several  ways.  First,  DH S  will  implement  and 
encourage  the  establishment  of  programs  to  advance 
the  training  of  cybersecuri  ty  professionals  in  the 
U  nited  States,  including  coordination  with  NSF, 
OPM ,  andNSA,  to  identify  ways  to  leverage  the 
existing  Cyber  Corps  Scholarship  for  Service 
program  as  well  as  the  various  graduate,  postdoc¬ 
toral,  senior  researcher,  and  faculty  development 
fellowship  and  traineeship  programs  created  by  the 


THE  NATIONAL  STRATEGY  TO  SECURE  CYBERSPACE  41 


PRIORITY  III 


Cyber  Security  Research  and  D  evelopment  Act,  to 
address  these  important  training  and  education 
workforce  issues.  (A/R  3-7 ) 

2. 1 ncrease the  E fficiency  of  E  xisting  Federal 
C  ybersecurity T raining  Programs 

Second,  D  H  S  will  explore  the  benefits  of  a 
center  for  the  development  of  cybersecurity 
training  practices  that  would  draw  together 
expertise  and  be  consistent  with  the  federal 
"build  once,  use  many"  approach.  DHS,  in 
coordination  with  other  agencies  with  cybersecurity 
training  expertise,  will  develop  a  coordination 
mechanism  linking  federal  cyber  security  and 
computer  forensics  training  programs.  (A/R  3-8) 

C.  CERTIFICATION 

1.  Promote  Private  Sector  Support  for  W  ell- 
coordinated  W  idely  Recognized  Professional 
C  ybersecurity  C  ertifications 

Related  to  education  and  training  is  the  need 
for  certification  of  qualified  persons. 
Certification  can  provide  employers  and 
consumers  with  greater  information  about  the 
capabilities  of  potential  employees  or  security 
consultants.  C  urrently,  some  certifications  for 
cybersecurity  workers  exist;  however,  they  vary 
greatly  in  the  requirements  they  impose.  For 
example,  some  programs  emphasize  broad 
knowledge  verified  by  an  extensive  multiple- 
choice  exam,  while  others  verify  in-depth 


practical  knowledge  on  a  particular  cyber 
component.  N  o  one  certification  offers  a  level 
of  assurance  about  a  person's  practical  and 
academic  qualifications,  similar  to  those  offered 
by  the  medical  and  legal  professions. 

To  address  this  issue,  a  number  of  industry 
stakeholders  including  representatives  of  both 
consumers  and  providers  of  IT  security  certifi¬ 
cations  are  beginning  to  explore  approaches  to 
developing  nationally  recognized  certifications 
and  guidelines  for  certification. 

A  spects  that  warrant  consideration  by  these 
organizations  include  levels  of  education  and 
experience,  peer  recognition,  continuing 
education  requirements,  testing  guidance,  as 
applicable  for  various  levels  of  certification  that 
may  be  established,  and  models  for  adminis¬ 
tering  a  certification  for  IT  security 
professionals  similar  to  those  successfully 
employed  in  other  professions.  D  H  S  and  other 
federal  agencies,  as  downstream  consumers 
(prospective  employers  of  certified  personnel), 
can  aid  these  efforts  by  effectively  articulating 
the  needs  of  the  federal  I T  security  community. 

DHS  will  encourage  efforts  that  are  needed  to  build 
foundati ons  for  the  developmen  t  of  securi ty  certi  fi - 
cation  programs  that  will  be  broadly  accepted  by  the 
publicand  private  sectors.  DHS  and  other  federal 
agen  descan  aid  these  efforts  by  effectively  articu- 
lating  the  needs  of  the  federal  IT  security 
community.  (A/R  3-9) 
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Priority  IV:  Securing  Governments' 
Cyberspace 


Although  most  critical  infrastructures  are  in  the 
private  sector,  governments  at  various  levels 
perform  many  key  functions.  A  mong  those  key 
functions  are  national  defense,  homeland 
security,  emergency  response,  taxation, 
payments  to  citizens,  central  bank  activities, 
criminal  justice,  and  public  health.  All  of  those 
functions  and  others  now  depend  upon  infor¬ 
mation  networks  and  systems.  T  hus,  it  is  the 
duty  of  governments  to  secure  their  information 
systems  in  order  to  provide  essential  services.  At 
the  federal  level  it  is  also  required  by  law. 

T  he  foundation  for  the  federal  government's 
cybersecurity  requires  assigning  clear  and 
unambiguous  authority  and  responsibility  for 


security,  holding  officials  accountable  for 
fulfilling  those  responsibilities,  and  integrating 
security  requirements  into  budget  and  capital 
planning  processes. 

The  federal  government  will  lead  by  example, 
giving  cybersecurity  appropriate  attention  and 
care,  and  encouragi  ng  others  to  do  so.  T  he 
federal  government's  procurement  practices  will 
be  used  to  help  promote  cybersecurity.  For 
example,  federal  agencies  should  become  early 
adopters  of  new,  more  secure  systems  and 
protocols  where  appropriate. 

State  and  local  governments  can  have  a  similar 
effect  on  cybersecurity.  T  he  federal  government 
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is  ready  to  partner  with  both  state  and  local 
governments  to  promote  cybersecurity. 

W  ithin  the  federal  government  the  D  i  rector  of 
OMB  is  responsible  for  ensuring  that 
department  and  agency  heads  carry  out  their 
legal  responsibilities  to  secure  IT  systems,  with 
the  exception  of  classified  systems  of  national 
security  departments  and  agencies  that  are  the 
responsibility  of  the  Secretary  of  D  efense  and 
the  D  i  rector  of  C  entral  I  ntelligence. 

A.  THE  FEDERAL  GOVERNMENT 

Beginning  with  the  Budget  Blueprint  in 
February  2001,  continuing  in  the  fiscal  year 
2002  and  2003  budgets,  and  the  M  anagement 
Reform  Agenda,  this  administration  has  set  a 
clear  agenda  for  government  reform.  T  hese 
reforms  include  unifying  federal  government 
security  and  critical  infrastructure  protection 
initiatives,  and  making  strong  security  a 
condition  of  funding  for  all  federal  investments 
in  information-technology  systems. 

T  he  N  ational  Strategy  to  Secure  Cyberspace 
supports  these  efforts  by  working  to  ensure 
that  the  federal  government  can  identify 
vulnerabilities,  anticipate  threats,  mitigate 
attacks  when  possible,  and  provide  for 
continuity  of  operations. 

To  overcome  deficiencies  in  cybersecurity, 

OMB  established  a  governmentwide  IT 
security  program,  as  required  by  law,  to  set  IT 
security  policies  and  perform  oversight  of 
federal  agency  compliance  with  security 
requirements.  T  his  program  is  based  on  a  cost- 
effective,  risk- based  approach.  Agencies  must 
ensure  that  security  is  integrated  within  every 
IT  investment.  This  approach  is  designed  to 
enable  federal  government  business  operations, 
not  to  unnecessarily  impede  those  functions. 


1.  C  ontinuously  A  ssessT  hreats  and 
Vulnerabilities  to  Federal  C  yber  Systems 

A  key  step  to  ensuring  the  security  of  federal 
information  technology  is  to  understand  the 
current  state  of  the  effectiveness  of  security  and 
privacy  controls  in  individual  systems.  O  nee 
identified,  it  is  equally  important  to  maintain 
that  understanding  through  a  continuing  cycle 
of  risk  assessment.  T  his  approach  is  reflected  in 
OMB  security  policies,  and  is  featured  in 
FISM  A. 

O  M  B 's  first  report  to  C  ongress  on  government 
information  security  reform  in  February  2002 
identified  six  common  governmentwide  security 
performance  gaps. 

T  hese  weaknesses  included: 

(1)  L  ack  of  senior  management  attention; 

(2)  L  ack  of  performance  measurement; 

(3)  Poor  security  education  and  awareness; 

(4)  Failure  to  fully  fund  and  integrate 
security  into  capital  planning  and 
investment  control; 

(5)  Failure  to  ensure  that  contractor  services 
are  adequately  secure;  and 

(6)  Failure  to  detect,  report,  and  share  infor¬ 
mation  on  vulnerabilities. 

T  hese  gaps  are  not  new  or  surprising.  OMB, 
along  with  the  General  Accounting  Office  and 
agency  inspectors  general,  has  found  them  to  be 
problems  for  at  least  6  years.  T  he  evaluation 
and  reporting  requirements  established  by  law 
have  given  O  M  B  and  federal  agencies  an 
opportunity  to  develop  a  comprehensive,  cross¬ 
government  baseline  of  agency  IT  security 
performance  that  had  not  been  previously 
available.  M  ore  importantly,  through  the  devel¬ 
opment  and  use  of  corrective  action  plans,  the 
federal  government  has  a  uniform  process  to 
track  progress  in  fixing  those  weaknesses. 
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Before  OMB  approves  funding  for  a  system  an 
agency  must  demonstrate  that  it  has  resolved 
outstanding  security  issues  related  to  the 
system.  Additionally,  agencies  must  ensure  that 
security  has  been  incorporated  and  security 
costs  reported  for  every  IT  investment  through 
the  federal  capital  planning  process.  OMB 
policy  stipulates  that  specific  lifecycle  security 
costs  be  identified,  built  into,  and  funded  as 
part  of  each  system  investment.  Failure  to  do  so 
results  in  disapproval  of  funding  for  the  entire 
system. 

2.  Agency- Specific  Processes 

T  he  federal  government  must  have  a  compre¬ 
hensive  and  crosscutting  approach  to  improving 
cybersecurity.  T  hree  processes  central  to 
improving  and  maintaining  federal  cyberse¬ 
curity  in  the  agencies  are:  identifying  and 
documenting  enterprise  architectures;  continu¬ 
ously  assessing  threats  and  vulnerabilities,  and 
understanding  the  risks  they  pose  to  agency 
operations  and  assets;  and  implementing 
security  controls  and  remediation  efforts  to 
reduce  and  manage  those  risks.  E  ach  agency 
will  be  expected  to  create  and  implement  this 
formal  three- step  process  to  achieve  greater 
security. 

a.  Identify  and  D  ocument  E  nterpriseA  rdiitectures 

OM  B  policy  requires  each  agency  to  identify 
and  document  their  enterprise  architecture, 
including  an  authoritative  inventory  of  all 
operations  and  assets,  all  agency  IT  systems, 
critical  business  processes,  and  their  inter¬ 
relationships  with  other  organizations.  T  his 
process  yields  a  governmentwide  view  of  critical 
security  needs. 

T  h rough  the  budget  process,  the  federal 
government  will  drive  agency  investments  in 
commercially  available  tools  to  improve  their 
architectures  and  system  configuration. 
Configuration  management  and  control  has 
incidental  and  important  benefits  to  security. 

For  example,  controlling  system  configuration 


permits  agencies  to  more  effectively  and 
efficiently  enforce  policies  and  permissions  and 
more  easily  install  antivirus  definitions  and 
other  software  updates  and  patches  across  an 
entire  system  or  network. 

b.  C ontinuouslyAssessT hreats and  Vulnerabilities 

Commercially  available  automated  auditing  and 
reporting  mechanisms  should  be  used  to 
validate  the  effectiveness  of  the  security  controls 
across  a  system  and  are  essential  to  continuously 
understand  risks  to  those  systems.  T  hese  tools 
can  help  in  analyzing  data,  providing  forward- 
looking  assessments,  and  alerting  agencies  of 
unacceptable  risks  to  their  operations. 

Federal  agendeswill  continue  to  expand  the  use  of 
automated,  enterprise-  wide  security  assessment  and 
security  policy  enforcement  tools  and  actively  deploy 
threat  management  tools  to  deter  attacks  T  he 
federal  government  will  determine  whether  spedfic 
actions  are  necessary  (e.g„  through  the  policy  or 
budget  processes)  to  promote  the  greater  use  of  these 
tools.  (A/R  4-1) 

c  Implement  Security  C ontrolsand  R  emediation 
E  fforts 

T  he  implementation  of  security  controls  that 
maintain  risk  at  an  acceptable  level  can  often  be 
accomplished  in  a  relatively  brief  amount  of 
time.  FI  owever,  the  remediation  of  vulnerabil¬ 
ities  is  a  much  more  complex  challenge. 
Software  is  constantly  changing  and  each  new 
upgrade  can  introduce  new  vulnerabilities.  As  a 
result,  vulnerabilities  must  be  assessed  continu¬ 
ously.  Remediation  often  involves  "patching"  or 
installing  pieces  of  software  or  code  that  are 
used  to  update  the  main  program.  The  remedi¬ 
ation  of  federal  systems  must  be  planned  in  a 
consistent  fashion. 
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B.  ADDITIONAL  GOVERNM  ENTWIDE 
CHALLENGES 

I  n  addition,  there  are  four  specific  government¬ 
wide  security  challenges  that  need  to  be 
addressed.  E  ach  agency,  as  appropriate,  should 
work  with  0  M  B  to  resolve  these  challenges. 

1.  Authenticate  and  M  aintain  Authorization 
for  U sers  of  Federal  Systems 

Identifying  and  authenticating  each  system  user 
is  the  first  link  in  the  system  security  chain,  and 
it  must  take  place  whenever  system  access  is 
initiated.  To  establish  and  maintain  secure 
system  operations,  organizations  must  ensure 
that  the  people  on  the  system  are  who  they  say 
they  are  and  are  doing  only  what  they  are 
authorized  to  do.  M  any  authentication  proce¬ 
dures  used  today  are  inadequate.  Passwords  are 
not  being  changed  from  the  system  default,  are 
often  incorrectly  configured,  and  are  rarely 
updated. 

The  federal  government  will  continue  to 
promote  a  continuing  chain  of  security  for  all 
federal  employees  and  processes,  including  the 
use,  where  appropriate,  of  biometric  smart  cards 
for  access  to  buildings  and  computers,  and 
authentication  from  the  moment  of  computer 
log  on.  T  he  benefits  of  such  an  approach  are 
clear.  By  promoting  multi-layered  identification 
and  authentication— the  use  of  strong 
passwords,  smart  tokens,  and  biometrics  -  the 
federal  government  will  eliminate  many  signif¬ 
icant  security  problems  that  it  has  today. 

T hrough  theongoing E -Authentication  initiative, 
the  federal  government  will  review  the  need  for 
stronger  access  control  and  authentication;  explore 
the  extent  to  which  all  departments  can  employ  the 
samephysical  and  logical  access  control  toolsand 
authentication  mechanisms;  and  consequently, 
further  promote  consistency  and  interoperability. 
(A/R  4-2) 


The  National  Information 
Assurance  Partnership  (NIAP) 

N I AP  is  a  U.5.  G  overnment  initiative  to 
meet  testing,  evaluation,  and  assessment 
needs  of  both  information  technology  (IT) 
producers  and  consumers.  NIAP  is  a 
collaboration  between  the  N  ational 
I  nstitute  of  Standards  and  T echnology 
(NIST)  and  the  N  ational  Security  A  gency 
(N  SA)  in  fulfilling  their  respective  respon¬ 
sibilities  under  the  Computer  Security  Act 
of  1987. 

The  partnership,  originated  in  1997, 
combines  the  extensive  security  experience 
of  both  agencies  to  promote  the  devel¬ 
opment  of  technically  sound  security 
requirements  for  IT  products  and  systems 
and  appropriate  metrics  for  evaluating  those 
products  and  systems.  T  he  long-term  goal 
of  N I A  P  is  to  help  increase  the  level  of 
trust  consumers  have  in  their  information 
systems  and  networks  through  the  use  of 
cost-effective  security  testing,  evaluation, 
and  assessment  programs.  NIAP  continues 
to  build  important  relationships  with 
government  agencies  and  industry  in  a 
variety  of  areas  to  help  meet  current  and 
future  IT  security  challenges  affecting  the 
N  ation's  critical  information  infrastructure. 

M  ore  information  on  the  partnership  can 
be  found  at  http://www.niap.nist.gov. 

2.  Secure  Federal  W  ireless  L  ocal  A  rea 
N  etworks 

W  hen  using  wireless  technology,  the  federal 
government  will  carefully  evaluate  the  risks 
associated  with  using  such  technology  for 
critical  functions.  T  he  N  ational  I  nstitute  of 
Standards  and  T  echnology  (NIST)  notes  that 
wireless  communications  can  be  intercepted 
and  that  wireless  networks  can  also  experience 
denial- of- service  attacks.  Federal  agencies 
should  use  the  NIST  findings  and 
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recommendations  on  wireless  systems  as  a  guide 
to  the  operation  of  wireless  networks. 

Federal  agendes should  consider  installing  systems 
that  continuously  check  for  unauthorized  connec¬ 
tions  to  their  networks.  A gency  policy  and 
procedures  should  reflect  careful  consideration  of 
additional  risk  reduction  measures,  induding  the 
use  of  strong  encryption,  bi-directional  authenti¬ 
cation,  shielding  standards  and  other  technical 
security  con  si  derations,  configuration  management, 
intrusion  detection,  incident  handling,  and 
computer  security  awareness  and  training 
programs.  (A/R  4-3) 

3. 1  mprove  Security  in  G  overnment 
0  utsourcing  and  Procurement 

T  h rough  a  joint  effort  of  0  M  B 's  0  ffice  of 
Federal  Procurement  Policy,  the  Federal 
Acquisition  Regulations  Council,  and  the 
E  xecutive  Branch  I  nformation  Systems  Security 
Committee,  the  federal  government  is  identi¬ 
fying  ways  to  improve  security  in  agency 
contracts  and  evaluating  the  overall  federal 
procurement  process  as  it  relates  to  security. 

A gencies'  maintenance  of  security  for 
outsourced  operations  was  cited  as  one  of  the 
key  weaknesses  identified  in  0  M  B's  February 
2002  security  report  to  C  ongress. 

Additionally,  the  federal  government  will  be 
conducting  a  comprehensive  review  of  the  National 
Information  Assurance  Partnership  (N I A  P),  to 
deter  mi  n  e  the  exten  t  to  w  hi  chit  is  adequately 
addressing  thecontinuing  problem  of  security  flaws 
in  commerdal  software  products.  T  his  review  will 
indudelessons  learned  from  implementation  of  the 
D  efenseD  epartment'sjuly  2002  policy  requiring 
the  acquisition  of  products  reviewed  under  the 
NIAP  or  similar  evaluation  processes.  (A/R  4-4) 

D  epartment  of  D  efense  (D  0  D )  policy  stipu¬ 
lates  that  if  an  evaluated  product  of  the  type 
being  sought  is  available  for  use,  then  the  D  0  D 
component  must  procure  the  evaluated  product. 
If  no  evaluated  product  is  currently  available, 
the  component  must  require  prospective 


vendors  to  submit  their  product  for  evaluation 
to  be  further  considered. 

Following  this  program  review,  the  government 
will  evaluate  the  cost  effectiveness  of  expanding 
the  program  to  cover  all  federal  agencies.  If  this 
proves  workable,  it  could  both  improve 
government  security  and  leverage  the 
government's  significant  purchasing  power  to 
influence  the  market  and  begin  to  improve  the 
security  of  all  consumer  information  technology 
products. 

4.  D  evelop  Specific  C  riteria  for  I  ndependent 
Security  R  eviews  and  R  eviewers  and 
C  ertification 

W  ith  the  growing  emphasis  on  security  comes 
the  corresponding  need  for  expert  independent 
verification  and  validation  of  agency  security 
programs  and  practices.  F I SM  A  and  0  M  B's 
implementing  guidance  require  that  agencies' 
program  officials  and  C 10  s  review  at  least 
annually  the  status  of  their  programs.  Few 
agencies  have  available  personnel  resources  to 
conduct  such  reviews,  and  thus  they  frequently 
contract  for  such  services.  A  gencies  and  0  M  B 
have  found  that  contractor  security  expertise 
varies  widely  from  the  truly  expert  to  less  than 
acceptable.  M  oreover,  many  independent  verifi¬ 
cation  and  validation  contractors  are  also  in  the 
business  of  providing  security  program  imple¬ 
mentation  services;  thus,  their  program  reviews 
may  be  biased  toward  their  preferred  way  of 
implementing  security. 

T he  federal  government  will  explore  whether 
privatesector  security  service  providers  to  the 
federal  government  should  decertified  as  meeting 
certain  minimum  capabilities,  induding  the  extent 
to  which  they  are  adequately  independent.  (A/R  4-5) 

C.  STATE  AND  LOCAL  GOVERN M  ENTS 

A  merican  democracy  is  rooted  in  the  precepts 
of  federalism—  a  system  of  government  in 
which  power  is  allocated  between  federal  and 
state  governments.  T  his  structure  of  overlapping 
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federal,  state,  and  local  governance  has  more 
than  87,000  different  jurisdictions  and  provides 
unique  opportunity  and  challenges  for 
cyberspace  security  efforts.  State  and  local 
governments,  like  the  federal  government, 
operate  large,  interconnected  information 
systems  upon  which  critical  government 
services  depend. 

States  provide  services  that  make  up  the  "public 
safety  net”  for  millions  of  Americans  and  their 
families.  Services  include  essential  social 
support  activities  as  well  as  critical  public  safety 
functions,  such  as  law  enforcement  and 
emergency  response  services.  States  also  own 
and  operate  critical  infrastructure  systems,  such 
as  electric  power  and  transmission,  trans¬ 
portation,  and  water  systems.  T  hey  play  a 
catalytic  role  in  bringing  together  the  different 
stakeholders  that  deliver  critical  services  within 
their  state  to  prepare  for,  respond  to,  manage, 
and  recover  from  a  crisis.  Delivering  critical 
services  unique  to  their  roles  and  responsibilities 
within  our  federalist  system  makes  state 
government  a  critical  infrastructure  sector  in  its 
own  right. 

M  any  of  these  critical  functions  carried  out  by 
states  are  inexorably  tied  to  IT  —  including 
making  payments  to  welfare  recipients, 
supporting  law  enforcement  with  electronic 
access  to  criminal  records,  and  operating  state- 
owned  utility  and  transportation  services. 
Preventing  cyber  attacks  and  responding 
quickly  when  they  do  occur,  ensures  that  these 
24/7  systems  remain  available  and  in  place  to 
provide  important  services  that  the  public  needs 
and  expects.  Information  technology  systems 


have  the  potential  for  bringing  unprecedented 
efficiency  and  responsiveness  from  state  govern¬ 
ments  for  their  residents.  Citizen  confidence  in 
the  integrity  of  these  systems  and  the  data 
collected  and  maintained  by  them  is  essential 
for  expanded  use  and  capture  of  these  potential 
benefits. 

W  ith  an  increasing  dependence  on  integrated 
systems,  state,  local,  and  federal  agencies  have 
to  collectively  combat  cyber  attacks.  Sharing 
information  to  protect  systems  is  an  important 
foundation  for  ensuring  government  continuity. 
States  have  adopted  several  mechanisms  to 
facilitate  the  sharing  of  information  on  cyber 
attacks  and  in  reporting  incidents. 

T  hese  mechanisms  are  continually  modified 
and  improved  as  new  policy  emerges  and  as 
technological  solutions  become  available.  In 
addition,  states  are  exploring  options  for 
improving  information  sharing  both  internally 
and  externally.  T  hese  options  include  enacting 
legislation  that  provides  additional  funding  and 
training  for  cybersecurity  and  forming  partner¬ 
ships  across  state,  local,  and  federal 
governments  to  manage  cyber  threats. 

1.  D  H  S  will  W  ork  with  State  and  L  ocal 
G  overnments  and  E  ncourage  them  to 
C  onsider  E  stablishing  I T  Security  Programs 
and  to  Participate  in  I  SAC  s  with  Similar 
G  overnments 

State  and  local  governments  are  encouraged  to 
establish  IT  security  programs  for  their  departments 
and  agendes,  induding  awareness,  audits,  and 
standards;  and  to  parti  a  pate  in  the  established 
ISACs  with  similar  governments.  (A/R  4-6) 
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Priority  V:  National  Security  and 
International  Cyberspace  Security 
Cooperation 


A  merica's  cyberspace  is  linked  to  that  of  the  rest 
of  the  world.  Attacks  cross  borders  at  light 
speed.  Distinguishing  between  malicious 
activity  originating  from  criminals,  nation  state 
actors,  and  terrorists  in  real  time  is  difficult. 
This  requires  America  to  be  prepared  to  defend 
critical  networks  and  respond  to  attacks  in  each 
case.  Systems  supporting  this  country's  critical 
national  defense  and  the  intelligence 
community  must  be  secure,  reliable,  and 
resilient—  able  to  withstand  attack  regardless  of 
the  origin  of  attack.  A  merica  must  also  be 
prepared  to  respond  as  appropriate  to  attacks 
against  its  critical  infrastructure.  At  the  same 


time,  A  merica  must  be  ready  to  lead  global 
efforts,  working  with  governments  and  industry 
alike,  to  secure  cyberspace  that  is  vital  to  the 
operation  of  the  world's  economy  and  markets. 
G  lobal  efforts  require  raising  awareness, 
promoting  stronger  security  standards,  and 
aggressively  investigating  and  prosecuting 
cybercrime. 

A.  ENSURING  AMERICA'S  NATIONAL 
SECURITY 

We  face  adversaries,  including  nation  states  and 
terrorists,  who  could  launch  cyber  attacks  or 
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seek  to  exploit  our  systems.  I  n  peacetime 
A  merica's  enemies  will  conduct  espionage 
against  our  government,  university  research 
centers,  and  private  companies.  Activities  would 
likely  include  mapping  U.S.  information 
systems,  identifying  key  targets,  lacing  our 
infrastructure  with  "back  doors"  and  other 
means  of  access.  I  n  wartime  or  crisis,  adver¬ 
saries  may  seek  to  intimidate  by  attacking 
critical  infrastructures  and  key  economic 
functions  or  eroding  public  confidence  in  infor¬ 
mation  systems.  T  hey  may  also  attempt  to  slow 
the  U.S.  military  response  by  disrupting  systems 
of  the  D  epartment  of  D  efense  (D  oD ),  the 
Intelligence  Community,  and  other  government 
organizations  as  well  as  critical  infrastructures. 

America  has  already  experienced  significant 
national  cybersecurity  events.  I  n  1998,  attackers 
carried  out  a  sophisticated,  tightly  orchestrated 
series  of  cyber  intrusions  into  the  computers  of 
D  oD ,  N  A  SA ,  and  government  research  labs. 

T  he  intrusions  were  targeted  against  those 
organizations  that  conduct  advanced  technical 
research  on  national  security,  including  atmos¬ 
pheric  and  oceanographic  topics  as  well  as 
aircraft  and  cockpit  design. 

The  United  States  must  have  the  capability  to 
secure  and  defend  systems  and  infrastructures 
that  are  deemed  national  security  assets,  and 
develop  the  capability  to  quickly  identify  the 
origin  of  malicious  activity.  We  must  improve 
our  national  security  posture  in  cyberspace  to 
limit  the  ability  of  adversaries  to  conduct 
espionage  or  pressure  the  U  nited  States. 

1.  Strengthen  C  ounterintelligence  E  fforts  in 
C  yberspace 

TheFBI  and  intelligence  community  should  ensure 
a  strong  counterintelligence  posture  to  counter 
cyber- based  intelligence  col  lection  against  the 
United  States  government,  and  commerdal  and 
educational  organizations.  T  his  effort  must  include 
a  deeper  understanding  of  the  capability  and  intent 
of  our  adversaries  to  use  cyberspam  as  a  means  for 
espionage  (A/R  5-1) 


2.  Improve  Attack  Attribution  and  Prevention 
Capabilities 

T heintelligencecommunity,  D  oD,  and  thelaw 
enforcement  agencies  must  i  mprove  the  N  ati  on's 
abili  ty  to  quickly  attribute  the  source  of  threatening 
attacksor  actions  to  enable  timely  and  effective 
response.  Consistent  with  theN ational  Security 
Strategy,  these  efforts  will  also  seek  to  develop 
capabilities  to  prevent  attacks  from  reaching  critical 
systems  and  infrastructures.  (A/R  5-2) 

3. 1  mprove  C  oordination  for  Responding  to 
C  yber  A  ttacks  within  the  U  nited  States 
N  ational  Security  C  ommunity 

The  United  States  must  improve  interagency 
coordination  between  law  enforcement,  national 
security,  and  defense  agendes  involving  cyber- based 
attacks  and  espionage,  ensuring  that  criminal 
matters  are  referred,  as  appropriate,  among  those 
agendes.  T  heN  ational  Security  Cound I  and  the 
Office  of  H  omeland  Security  will  lead  a  study  to 
ensure  that  appropriate  mechanisms  are  in  place. 
(A/R  5-3) 

4.  Reserve  the  Right  to  Respond  in  an 
A  ppropriate  M  anner 

When  a  nation,  terrorist  group,  or  other  adversary 
attacks  the  United  States  through  cyberspace,  the 
U.S.  response  need  not  be  limited  to  criminal  prose¬ 
cution.  TheU  nited  States  reserves  the  right  to 
respond  in  an  appropriate  manner.  T  he  United 
States  will  be  prepared  for  such  contingenaes.  (A/R 
5-4) 

B.  INTERNATIONAL  COOPERATION 

T  he  D  epartment  of  State  will  lead  federal 
efforts  to  enhance  international  cyberspace 
security  cooperation.  Key  initiatives  include: 

1.  W  ork  through  I  nternational  0  rganizations 
and  with  I  ndustry  to  Facilitate  and  to 
Promote  a  G  lobal  "C  ulture  of  Security" 

America's  interest  in  promoting  global  cyberse¬ 
curity  extends  beyond  our  borders.  0  ur 
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information  infrastructure  is  directly  linked 
with  C  anada,  M  exico,  E  urope,  Asia,  and  South 
A  merica.  T  he  U  nited  States  and  world 
economy  increasingly  depend  upon  global 
markets  and  multinational  corporations 
connected  via  information  networks.  T  he  vast 
majority  of  cyber  attacks  originates  or  passes 
through  systems  abroad,  crosses  several  borders, 
and  requires  international  investigative  cooper¬ 
ation  to  be  stopped. 

G  lobal  networks  supporting  critical  economic 
and  security  operations  must  be  secure  and 
reliable.  Securing  global  cyberspace  wi  1 1  require 
international  cooperation  to  raise  awareness, 
increase  information  sharing,  promote  security 
standards,  and  investigate  and  prosecute  those 
who  engage  in  cybercrime.  T  he  U  nited  States  is 
committed  to  working  with  nations  to  ensure 
the  integrity  of  the  global  information  networks 
that  support  critical  economic  and  security 
infrastructure.  We  are  also  ready  to  utilize 
government- sponsored  organizations  such  as 
the  0  rganization  of  E  conomic  C  ooperation 
and  Development  (OECD),  G- 8,  the  A  si  a 
Pacific  E  conomic  C  ooperation  forum  (APEC), 
and  the  0  rganization  of  A  merican  States 
(OAS),  and  other  relevant  organizations  to 
facilitate  global  coordination  on  cybersecurity. 

In  order  to  facilitate  coordination  with  the 
private  sector,  we  will  also  utilize  such  organiza¬ 
tions  as  the  Transatlantic  Business  D  ialogue. 

2.  D  evelop  Secure  N  etworks 

T  he  U  nited  States  will  engage  in  cooperative 
efforts  to  solve  technical,  scientific,  and  policy- 
related  problems  to  assure  the  integrity  of 
information  networks.  We  will  encourage  the 
development  and  adoption  of  international 
technical  standards  and  facilitate  collaboration 
and  research  among  the  world's  best  scientists 
and  researchers.  We  will  promote  such  efforts  as 
the  0  E  C  D 's  G  uidelines  for  the  Security  of 
Information  Systems  and  N  etworks,  which  strive 
to  inculcate  a  "culture  of  security"  across  all 
participants  in  the  new  information  society. 


Because  most  nations'  key  information 
infrastructures  reside  in  private  hands,  the 
U  nited  States  will  seek  the  participation  of 
U  nited  States  industry  to  engage  foreign 
counterparts  in  a  peer-to-peer  dialogue,  with 
the  twin  objectives  of  making  an  effective 
business  case  for  cybersecurity,  and  explaining 
successful  means  for  partnering  with 
government  on  cybersecurity. 

TheU  nited  States  will  work  through  appropriate 
international  organizations  and  in  partnership 
with  industry  to  fad litate  dialogue  between  foreign 
publicand private sectorson  information  infra¬ 
structure  protection  and  promote  a  global  "culture  of 
security." ( A/ R  5-5) 

3.  Promote  N  orth  American  C  yberspace 

Security 

T  heLI  nited  States  will  work  with  Canada  and 
M  exico  to  make  North  America  a  "Safe  Cyber 
Zone."  We  will  expan d  programs  to  i den ti fy  an d 
secure  aid  cal  common  networks  that  underpin 
telecommunications,  energy,  transportation, 
banking  and  finance  systems,  emergency  services, 
food,  public  health,  and  water  systems.  (A/R  5-6) 

4.  Foster  the  E  stablishment  of  N  ational  and 

International  Watch- and- Warning 

N  etworks  to  D  etect  and  Prevent  C  yber 

A  ttacks  as  they  E  merge 

TheU  nited  States  will  urge  each  nation  to  build  on 
the  common  Y2K  experience  and  appoint  a 
centralized  point-  of-  contact  who  can  act  as  a 
liaison  between  domestic  and  global  cybersecurity 
efforts.  E  stablishing  poi nts  of  contact  can  greatly 
enhance  the  international  coordination  and 
resolution  of  cyberspace  security  issues.  We  will  also 
encourage  each  nation  to  dev  el  op  Its  own  watch- 
and- warning  network  capable  of  informing 
government  agendes,  the  public,  and  other  countries 
about  impending  attacks  or  viruses.  (A/R  5-  7) 

T  o  fad  litate  real-  timesharing  of  the  threat 
information  as  it  comes  to  light,  the  United  States 
will  foster  the  establishment  of  an  international 
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network  capable  of  receiving,  assessing,  and  dissem¬ 
inating  this  information  globally.  Such  a  network 
can  build  on  the  capabilities  of  nongovernmental 
institutions  such  astheForum  of  I  nd  dent  R  espouse 
and  Security  Teams.  (A/R  5-8) 

The  United  States  will  encourage  regional  organi¬ 
zations,  such  astheAPEC,  EU,  and  OAS,  to  each 
form  or  designate  a  committee  responsible  for  cyber¬ 
security.  Such  committees  would  also  benefit  from 
establishing  parallel  working  groups  with  represen- 
tati  ves  from  the  private  sector.  The  United  States 
will  also  encourage  regional  organizations-  such  as 
the  APE  C,  EU,  and  OAS-  to  establish  a  joint 
committee  on  cybersecurity  with  representatives 
from  government  and  the  private  sector.  (A/R  5-9) 

5.  E  ncourage  0  ther  N  ations  to  Accede  to  the 
C  ouncil  of  E  urope  C  onvention  on 
C  ybercri me,  or  to  E  nsure  that  their  L  aws 
and  Procedures  are  at  L  east  as 
C  omprehensive 

T  he  U  nited  States  will  actively  foster 
international  cooperation  in  investigating  and 
prosecuting  cybercrime.  T  he  U  nited  States  has 


signed  and  supports  the  recently  concluded 
C  ouncil  of  E  urope  C  onvention  on  C  ybercrime, 
which  requires  countries  to  make  cyber  attacks 
a  substantive  criminal  offense  and  to  adopt 
procedural  and  mutual  assistance  measures  to 
better  combat  cybercrime  across  international 
borders. 

TheU  nited  States  will  encourage  other  nations  to 
accede  to  the  C  oun  alofE  urope  Conven  ti  on  on 
C  ybercri  me  or  to  ensure  that  their  I  aw  sand  proce¬ 
dures  are  at  least  as  comprehensive  (A/R  5-10) 

0  ngoing  multilateral  efforts,  such  as  those  in 
the  G  -  8,  A  P  E  C ,  and  0  E  C  D  are  also 
important.  The  United  States  will  work  to 
implement  agreed-upon  recommendations  and 
action  plans  that  are  developed  in  these  forums. 
A  mong  these  initiatives,  the  U  nited  States  in 
particular  will  urge  countries  to  join  the  24- 
hour,  high-tech  crime  contact  network  begun 
within  theG-8,  and  now  expanded  to  the 
Council  of  E  urope  membership,  as  well  as 
other  countries. 
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Conclusion:  The  Way  Forward 


O  ur  reliance  on  cyberspace  will  only  continue 
to  grow  in  the  years  ahead.  C  yberspace  and  the 
networks  that  connect  to  it  now  support  our 
economy  and  provide  for  our  national  and 
homeland  defense. This  national  dependency 
must  be  managed  with  continuous  efforts  to 
secure  the  cyber  systems  that  control  our  infra¬ 
structures. 

Securing  cyberspace  is  a  complex  and  evolving 
challenge.  TheNational  Strategy  to  Secure 
Cyberspace  was  developed  in  close  collaboration 
with  key  sectors  of  the  economy  that  rely  on 
cyberspace,  state  and  local  governments, 
colleges  and  universities,  and  concerned  organi¬ 
zations.  T own  hall  meetings  were  held  around 
the  country,  and  fifty-three  clusters  of  key 
questions  were  published  to  spark  public  debate. 


In  addition,  a  draft  version  of  the  National 
Strategy  to  Secure  Cyberspace  was  shared  with  the 
N  ation  for  public  comment.  T  he  response  has 
been  overwhelming. 

The  public- private  partnerships  that  formed  in 
response  to  the  President's  call  have  developed 
their  own  strategies  to  protect  the  parts  of 
cyberspace  on  which  they  rely.  T  his  unique 
partnership  and  process  was  and  will  continue 
to  be  necessary  because  the  majority  of  the 
country's  cyber  resources  are  controlled  by 
entities  outside  of  government.  For  the  N  ational 
Strategy  to  Secure  Cyberspace  to  work  it  must  be  a 
plan  in  which  a  broad  cross  section  of  the 
country  is  both  invested  and  committed. 
Accordingly,  the  dialogue  about  how  we  secure 
cyberspace  will  continue. 
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T  he  N  ational  Strategy  to  Secure  Cyberspace 
identifies  five  national  priorities  that  will  help 
us  achieve  this  ambitious  goal.  T  hese  are:  (1)  a 
national  cyberspace  security  response  system; 

(2)  a  national  cyberspace  security  threat  and 
vulnerability  reduction  program;  (3)  a  national 
cyberspace  security  awareness  and  training 
program;  (4)  securing  governments'  cyberspace; 
and,  (5)  national  security  and  international 
cyberspace  security  cooperation.  T  hese  five 
priorities  will  serve  to  prevent,  deter,  and 
protect  against  attacks.  I  n  addition,  they  also 
create  a  process  for  minimizing  the  damage  and 
recovering  from  attacks  that  do  occur. 

T  he  N  ational  Strategy  to  Secure  Cyberspace  is, 
however,  only  a  first  step  in  a  long-term  effort 
to  secure  our  information  infrastructures.  T  he 
federal  executive  branch  will  use  a  variety  of 
tools  to  implement  this  Strategy.  The 
Administration  will  work  with  Congress  to 
craft  future  federal  security  budgets  based  on 
the  Strategy,  providing  every  department  and 
agency  involved  in  cybersecurity  with  resources 
to  execute  its  responsibilities.  E  ach  lead 
department  and  agency  will  plan  and  program 
to  execute  the  initiatives  assigned  by  the 
N  ational  Strategy  to  Secure  Cyberspace. 

W  ithin  the  federal  government  D  H  S  will  play  a 
central  role  in  implementing  the  N ational 
Strategy  to  Secure  Cyberspace.  In  addition  to 
executing  its  assigned  initiatives,  the 
Department  would  also  serve  as  the  primary 
federal  point- of- contact  for  state  and  local 
governments,  the  private  sector,  and  the 
American  people  on  issues  related  to  cyberspace 
security.  Working  with  the  W  hite  H  ouse,  the 


D  epartment  therefore  would  coordinate  and 
support  implementation  of  non-federal  tasks 
recommended  in  the  National  Strategy  to  Secure 
Cyberspace. 

E  ach  department  and  agency  will  also  be 
accountable  for  its  performance  on  cyberse¬ 
curity  efforts.  T  he  federal  government  will 
employ  performance  measures—  and  encourage 
the  same  for  state  and  local  governments— to 
evaluate  the  effectiveness  of  the  cybersecurity 
programs  outlined  in  this  Strategy.  These 
performance  measures  will  allow  agencies  to 
measure  their  progress,  make  resource  allocation 
decisions,  and  adjust  priorities  accordingly. 

Federal,  state,  and  local  governments,  as  well  as 
organizations  and  people  all  across  the  United 
States  will  continue  to  work  to  improve  cyber¬ 
space  security.  A  s  these  strategies  and  plans  are 
implemented,  we  will  begin  to  incrementally 
reduce  threats  and  vulnerabilities. 

Cybersecurity  and  personal  privacy  need  not  be 
opposing  goals.  C  yberspace  security  programs 
must  strengthen,  not  weaken,  such  protections. 
The  federal  government  will  continue  to 
regularly  meet  with  privacy  advocates  to  discuss 
cybersecurity  and  the  implementation  of  this 
Strategy. 

For  the  foreseeable  future,  two  things  will  be 
true:  A  merica  will  rely  upon  cyberspace  and  the 
federal  government  will  seek  a  continuing  broad 
partnership  to  develop,  implement,  and  refine 
the  N  ational  Strategy  to  Secure  Cyberspace. 
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Actions  and  Recommendations  (A/R) 
Summary 


Priority  I:  A  National  Cyberspace 
Security  Response  System 

A/R  1-1:  D  H  S  will  create  a  single  point- of- 
contact  for  the  federal  government's  interaction 
with  industry  and  other  partners  for  24  x7 
functions,  including  cyberspace  analysis, 
warning,  information  sharing,  major  incident 
response,  and  national- level  recovery  efforts. 
Private  sector  organizations,  which  have  major 
contributions  for  those  functions,  are 
encouraged  to  coordinate  activities,  as  permitted 
by  law,  in  order  to  provide  a  synoptic  view  of 
the  health  of  cyberspace  on  a  24  x  7  basis. 

A/R  1-2:  As  outlined  in  the  2003  budget,  the 
federal  government  will  complete  the  instal¬ 
lation  of  C  W I N  to  key  government 
cybersecurity- related  network  operation  centers, 
to  disseminate  analysis  and  warning  infor¬ 
mation  and  perform  crisis  coordination.  The 
federal  government  will  also  explore  linking  the 
ISACsto  CW  IN . 

A/R  1-3:  To  test  civilian  agencies' security 
preparedness  and  contingency  planning,  D  H  S 
will  use  exercises  to  evaluate  the  impact  of  cyber 
attacks  on  governmentwide  processes. 
Weaknesses  discovered  will  be  included  in 
agency  corrective  action  plans  and  submitted  to 
the  0  M  B .  D  H  S  also  will  explore  such  exercises 
as  a  way  to  test  the  coordination  of  public  and 
private  incident  management,  response  and 
recovery  capabilities. 

A/R  1-4:  C  orporations  are  encouraged  to 
regularly  review  and  exercise  IT  continuity 
plans  and  to  consider  diversity  in  IT  service 
providers  as  a  way  of  mitigating  risk. 


A/R  1-5: 1  nfrastructure  sectors  are  encouraged 
to  establish  mutual  assistance  programs  for 
cybersecurity  emergencies.  DoJ  and  the  Federal 
T rade  C  ommission  should  work  with  the 
sectors  to  address  barriers  to  such  cooperation, 
as  appropriate.  I  n  addition,  D  H  S's  I  nformation 
A  nalysis  and  I  nfrastructure  Protection 
D  irectorate  will  coordinate  the  development 
and  regular  update  of  voluntary  joint 
government-industry  cybersecurity  contingency 
plans,  including  a  plan  for  recovering  I  nternet 
functions. 

A/R  1-6:  D  H  S  will  raise  awareness  about  the 
removal  of  impediments  to  information  sharing 
about  cybersecurity  and  infrastructure  vulnera¬ 
bilities  between  the  public  and  private  sectors. 

T  he  D epartment  will  also  establish  an  infra¬ 
structure  protection  program  office  to  manage 
the  information  flow,  including  the  devel¬ 
opment  of  protocols  for  how  to  care  for 
"voluntarily  submitted  critical  infrastructure 
information." 

A/R  1-7:  Corporations  are  encouraged  to 
consider  active  involvement  in  industrywide 
programs  to  share  information  on  IT  security, 
including  the  potential  benefits  of  joining  an 
appropriate  I  SAC .  Colleges  and  universities  are 
encouraged  to  consider  establishing:  (1)  one  or 
more  I  SAC s  to  deal  with  cyber  attacks  and 
vulnerabilities;  and,  (2)  an  on-call  point- of- 
contact  to  I  nternet  service  providers  and  law 
enforcement  officials  in  the  event  that  the 
school's  IT  systems  are  discovered  to  be 
launching  cyber  attacks. 
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Priority  II:  A  National  Cyberspace 
Security  Threat  and  Vulnerability 
Reduction  Program 

A/R  2-1:  DoJ  and  other  appropriate  agencies 
will  develop  and  implement  efforts  to  reduce 
cyber  attacks  and  cyber  threats  through  the 
following  means:  (1)  identifying  ways  to 
improve  information  sharing  and  investigative 
coordination  within  the  federal,  state,  and  local 
law  enforcement  community  working  on  critical 
infrastructure  and  cyberspace  security  matters, 
and  with  other  agencies  and  the  private  sector; 

(2)  exploring  means  to  provide  sufficient  inves¬ 
tigative  and  forensic  resources  and  training  to 
facilitate  expeditious  investigation  and 
resolution  of  critical  infrastructure  incidents; 
and,  (3)  developing  better  data  about  victims  of 
cybercrime  and  intrusions  in  order  to  under¬ 
stand  the  scope  of  the  problem  and  be  able  to 
track  changes  over  time. 

A/R  2-2:  D  H  S,  in  coordination  with  appro¬ 
priate  agencies  and  the  private  sector,  will  lead 
in  the  development  and  conduct  of  a  national 
threat  assessment  including  red  teaming,  blue 
teaming,  and  other  methods  to  identify  the 
impact  of  possible  attacks  on  a  variety  of 
targets. 

A/R  2-3:  T  he  Department  of  Commerce  will 
form  a  task  force  to  examine  the  issues  related 
to  I  Pv6,  including  the  appropriate  role  of 
government,  international  interoperability, 
security  in  transition,  and  costs  and  benefits. 
The  task  force  will  solicit  input  from  potentially 
impacted  industry  segments. 

A/R  2-4:  D  H  S,  in  coordination  with  the 
Commerce  Department  and  appropriate 
agencies,  will  coordinate  public- private  partner¬ 
ships  to  encourage:  (1)  the  adoption  of 
improved  security  protocols;  (2)  the  devel¬ 
opment  of  more  secure  router  technology;  and, 

(3)  the  adoption  by  I  SPs  of  a  "code  of  good 
conduct,"  including  cybersecurity  practices  and 
security  related  cooperation.  D  H  S  will  support 


these  efforts  as  required  for  their  success, 
subject  to  other  budget  considerations. 

A/R  2-5: D H  S,  in  coordination  with  DOE  and 
other  concerned  agencies  and  in  partnership 
with  industry,  will  develop  best  practices  and 
new  technology  to  increase  security  of 
DC  S/SC  ADA,  to  determine  the  most  critical 
DC  S/SC  ADA-related  sites,  and  to  develop  a 
prioritized  plan  for  short-term  cybersecurity 
improvements  in  those  sites. 

A/R  2-6:  D  H  S  will  work  with  the  N  ational 
Infrastructure  Advisory  Council  and  private 
sector  organizations  to  develop  an  optimal 
approach  and  mechanism  for  vulnerability 
disclosure. 

A/R  2-7:  G  SA  will  work  with  D  H  S  on  an 
improved  approach  to  implementing  a  patch 
clearinghouse  for  the  federal  government.  D  H  S 
will  also  share  lessons  learned  with  the  private 
sector  and  encourage  the  development  of  a 
voluntary,  industry-led,  national  effort  to 
develop  a  similar  clearinghouse  for  other  sectors 
including  large  enterprises. 

A/R  2-8:  The  software  industry  is  encouraged 
to  consider  promoting  more  secure  "out-of-the- 
box"  installation  and  implementation  of  their 
products,  including  increasing:  (1)  user 
awareness  of  the  security  features  in  products; 

(2)  ease- of- use  for  security  functions;  and,  (3) 
where  feasible,  promotion  of  industry  guidelines 
and  best  practices  that  support  such  efforts. 

A/R  2-9:  D  H  S  will  establish  and  lead  a  public- 
private  partnership  to  identify  cross-sectoral 
interdependencies  both  cyber  and  physical.  T  he 
partnership  will  develop  plans  to  reduce  related 
vulnerabilities  in  conjunction  with  programs 
proposed  in  the  N  ational  Strategy  for 
H  omeland  Security.  T  he  N  ational 
I  nfrastructure  Simulation  and  A  nalysis  C  enter 
in  D  H  S  will  support  these  efforts  by  developing 
models  to  identify  the  impact  of  cyber  and 
physical  interdependencies. 
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A/R  2-10:  D  H  S  also  will  support,  when 
requested  and  as  appropriate,  voluntary  efforts 
by  owners  and  operators  of  information  system 
networks  and  network  data  centers  to  develop 
remediation  and  contingency  plans  to  reduce 
the  consequences  of  large-scale  physical  damage 
to  facilities  supporting  such  networks,  and  to 
develop  appropriate  procedures  for  limiting 
access  to  critical  facilities. 

A/R  2-11:  To  meet  these  needs,  the  D  i rector  of 
OSTP  will  coordinate  the  development,  and 
update  on  an  annual  basis  a  federal  government 
research  and  development  agenda  that  includes 
near-term  (1-3  years),  mid-term  (3-5  years), 
and  later  (5  years  out  and  longer)  IT  security 
research  for  F  iscal  Year  2004  and  beyond. 
Existing  priorities  include,  among  others, 
intrusion  detection,  Internet  infrastructure 
security  (including  protocols  such  as  BG  P  and 
D  N  S),  application  security,  D  oS,  communica¬ 
tions  security  (including  SCADA  system 
encryption  and  authentication),  high- assurance 
systems,  and  secure  system  composition. 

A/R  2-12:  T o  optimize  research  efforts  relative 
to  those  of  the  private  sector,  D  H  S  will  ensure 
that  adequate  mechanisms  exist  for  coordi¬ 
nation  of  research  and  development  among 
academia,  industry  and  government,  and  will 
develop  new  mechanisms  where  needed. 

A/R  2-13:  T  he  private  sector  is  encouraged  to 
consider  including  in  near-term  research  and 
development  priorities,  programs  for  highly 
secure  and  trustworthy  operating  systems.  If 
such  systems  are  developed  and  successfully 
evaluated,  the  federal  government  will,  subject 
to  budget  considerations,  accelerate 
procurement  of  such  systems. 

A/R  2-14:  D  H  S  will  facilitate  a  national 
public-  private  effort  to  promulgate  best 
practices  and  methodologies  that  promote 
integrity,  security,  and  reliability  in  software 
code  development,  including  processes  and 
procedures  that  diminish  the  possibilities  of 


erroneous  code,  malicious  code,  or  trap  doors 
that  could  be  introduced  during  development. 

A/R  2-15:  DH  S,  in  coordination  with  OSTP 
and  other  agencies,  as  appropriate,  will  facilitate 
communication  between  the  public  and  private 
research  and  the  security  communities,  to 
ensure  that  emerging  technologies  are  periodi¬ 
cally  reviewed  by  the  appropriate  body  within 
the  N  ational  Science  and  T echnology  C  ouncil, 
in  the  context  of  possible  homeland  and  cyber¬ 
space  security  implications,  and  relevance  to  the 
federal  research  agenda. 

Priority  III:  A  National  Cyberspace 
Security  Awareness  and  Training 
Program 

A/R  3-1:  D  H  S,  working  in  coordination  with 
appropriate  federal,  state,  and  local  entities  and 
private  sector  organizations,  will  facilitate  a 
comprehensive  awareness  campaign  including 
audience- specific  awareness  materials, 
expansion  of  the  StaySafeO  nline  campaign,  and 
development  of  awards  programs  for  those  in 
industry  making  significant  contributions  to 
security. 

A/R  3-2:  D  H  S,  in  coordination  with  the 
D  epartment  of  E  ducation,  will  encourage  and 
support,  where  appropriate  subject  to  budget 
considerations,  state,  local,  and  private  organi¬ 
zations  in  the  development  of  programs  and 
guidelines  for  primary  and  secondary  school 
students  in  cybersecurity. 

A/R  3-3:  H  ome  users  and  small  businesses  can 
help  the  N  ation  secure  cyberspace  by  securing 
their  own  connections  to  it.  Installing  firewall 
software  and  updating  it  regularly,  maintaining 
current  antivirus  software,  and  regularly 
updating  operating  systems  and  major  applica¬ 
tions  with  security  enhancements  are  actions 
that  individuals  and  enterprise  operators  can 
take  to  help  secure  cyberspace.  To  facilitate  such 
actions,  D  H  S  will  create  a  public-  private  task 
force  of  private  companies,  organizations,  and 
consumer  users  groups  to  identify  ways  that 
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providers  of  information  technology  products 
and  services,  and  other  organizations  can  make 
it  easier  for  home  users  and  small  businesses  to 
secure  their  systems. 

A/R  3-4:  L  arge  enterprises  are  encouraged  to 
evaluate  the  security  of  their  networks  that 
impact  the  security  of  the  N  ation's  critical  infra¬ 
structures.  Such  evaluations  might  include:  (1) 
conducting  audits  to  ensure  effectiveness  and 
use  of  best  practices;  (2)  developing  continuity 
plans  which  consider  offsite  staff  and 
equipment;  and,  (3)  participating  in  indus¬ 
trywide  information  sharing  and  best  practices 
dissemination. 

A/R  3-5:  Colleges  and  universities  are 
encouraged  to  secure  their  cyber  systems  by 
establishing  some  or  all  of  the  following  as 
appropriate:  (1)  one  or  more  I SA  C  s  to  deal 
with  cyber  attacks  and  vulnerabilities;  (2)  model 
guidelines  empowering  C  hief  I  nformation 
0  fficers  (CIOs)  to  address  cybersecurity;  (3) 
one  or  more  sets  of  best  practices  for  IT 
security;  and,  (4)  model  user  awareness 
programs  and  materials. 

A/R  3-6:  A  public- private  partnership  should 
continue  work  in  helping  to  secure  the  N  ation's 
cyber  infrastructure  through  participation  in,  as 
appropriate  and  feasible,  a  technology  and 
R&  D  gap  analysis  to  provide  input  into  the 
federal  cybersecurity  research  agenda,  coordi¬ 
nation  on  the  conduct  of  associated  research, 
and  the  development  and  dissemination  of  best 
practices  for  cybersecurity. 

A/R  3-7:  D  H  S  will  implement  and  encourage 
the  establishment  of  programs  to  advance  the 
training  of  cybersecurity  professionals  in  the 
United  States,  including  coordination  with 
NSF,OPM  ,  and  NSA,to  identify  ways  to 
leverage  the  existing  Cyber  Corps  Scholarship 
for  Service  program  as  well  as  the  various 
graduate,  postdoctoral,  senior  researcher,  and 
faculty  development  fellowship  and  traineeship 
programs  created  by  the  C  yber  Security 
Research  and  D evelopment  A ct,  to  address 


these  important  training  and  education 
workforce  issues. 

A/R  3-8:  D  H  S,  in  coordination  with  other 
agencies  with  cybersecurity  training  expertise, 
will  develop  a  coordination  mechanism  linking 
federal  cybersecurity  and  computer  forensics 
training  programs. 

A/R  3-9:  D  H  S  will  encourage  efforts  that  are 
needed  to  build  foundations  for  the  devel¬ 
opment  of  security  certification  programs  that 
will  be  broadly  accepted  by  the  public  and 
private  sectors.  D  H  S  and  other  federal  agencies 
can  aid  these  efforts  by  effectively  articulating 
the  needs  of  the  Federal  IT  security  community. 

Priority  IV:  Securing  Governments' 
Cyberspace 

A/R  4-1:  Federal  agencies  will  continue  to 
expand  the  use  of  automated,  enterprise- wide 
security  assessment  and  security  policy 
enforcement  tools  and  actively  deploy  threat 
management  tools  to  deter  attacks.  T  he  federal 
government  will  determine  whether  specific 
actions  are  necessary  (e.g.,  through  the  policy  or 
budget  processes)  to  promote  the  greater  use  of 
these  tools. 

A/R  4-2:  Through  the  ongoing  E- 
Authenti cation  initiative,  the  federal 
government  will  review  the  need  for  stronger 
access  control  and  authentication;  explore  the 
extent  to  which  all  departments  can  employ  the 
same  physical  and  logical  access  control  tools 
and  authentication  mechanisms;  and,  conse¬ 
quently,  further  promote  consistency  and 
interoperability. 

A/R  4-3:  Federal  agencies  should  consider 
installing  systems  that  continuously  check  for 
unauthorized  connections  to  their  networks. 
Agency  policy  and  procedures  should  reflect 
careful  consideration  of  additional  risk 
reduction  measures,  including  the  use  of  strong 
encryption,  bi-directional  authentication, 
shielding  standards  and  other  technical  security 
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considerations,  configuration  management, 
intrusion  detection,  incident  handling,  and 
computer  security  awareness  and  training 
programs. 

A/R  4-4:  Additionally,  the  federal  government 
will  be  conducting  a  comprehensive  review  of 
the  N  ational  I  nformation  A  ssurance 
Partnership  (N I A  P),  to  determine  the  extent  to 
which  it  is  adequately  addressing  the  continuing 
problem  of  security  flaws  in  commercial 
software  products.  T  his  review  will  include 
lessons- learned  from  implementation  of  the 
Defense  Department's  July  2002  policy 
requiring  the  acquisition  of  products  reviewed 
under  the  N  I A  P  or  similar  evaluation  processes. 

A/R  4- 5:  The  federal  government  will  explore 
whether  private  sector  security  service  providers 
to  the  federal  government  should  be  certified  as 
meeting  certain  minimum  capabilities, 
including  the  extent  to  which  they  are 
adequately  independent. 

A/R  4-6:  State  and  local  governments  are 
encouraged  to  establish  IT  security  programs 
for  their  departments  and  agencies,  including 
awareness,  audits,  and  standards;  and  to  partic¬ 
ipate  in  the  established  I  SAC  s  with  similar 
governments. 

Priority  V:  National  Security  and 
International  Cyberspace  Security 
Cooperation 

A/R  5-1:  The  FBI  and  intelligence  community 
should  ensure  a  strong  counterintelligence 
posture  to  counter  cyber- based  intelligence 
collection  against  the  U.S.  G  overnment,  and 
commercial  and  educational  organizations. This 
effort  must  include  a  deeper  understanding  of 
the  capability  and  intent  of  our  adversaries  to 
use  cyberspace  as  a  means  for  espionage. 

A/R  5-2: The  intelligence  community,  DoD, 
and  the  law  enforcement  agencies  must  improve 
the  N  ation's  ability  to  quickly  attribute  the 
source  of  threatening  attacks  or  actions  to 


enable  timely  and  effective  response. 

C  onsistent  with  the  National  Security  Strategy, 
these  efforts  will  also  seek  to  develop  capabil¬ 
ities  to  prevent  attacks  from  reaching  critical 
systems  and  infrastructures. 

A/R  5-3: The  United  States  must  improve 
interagency  coordination  between  law 
enforcement,  national  security,  and  defense 
agencies  involving  cyber- based  attacks  and 
espionage,  ensuring  that  criminal  matters  are 
referred,  as  appropriate,  among  those  agencies. 

T  he  N  ational  Security  C  ouncil  and  the  0  ffice 
of  H  omeland  Security  will  lead  a  study  to 
ensure  that  appropriate  mechanisms  are  in 
place. 

A/R  5-4:  W  hen  a  nation,  terrorist  group,  or 
other  adversary  attacks  the  U  nited  States 
through  cyberspace,  the  U.S.  response  need  not 
be  limited  to  criminal  prosecution.  T  he  U  nited 
States  reserves  the  right  to  respond  in  an  appro¬ 
priate  manner.  The  United  States  will  be 
prepared  for  such  contingencies. 

A/R  5-5:  The  United  States  will  work  through 
appropriate  international  organizations  and  in 
partnership  with  industry  to  facilitate  dialogue 
between  foreign  public  and  private  sectors  on 
information  infrastructure  protection  and 
promote  a  global  "culture  of  security." 

A/R  5-  6:  T  he  United  States  will  work  with 
C  anada  and  M  exico  to  make  N  orth  A  merica  a 
"Safe  Cyber  Zone."  We  will  expand  programs 
to  identify  and  secure  critical  common  networks 
that  underpin  telecommunications,  energy, 
transportation,  banking  and  finance  systems, 
emergency  services,  food,  public  health,  and 
water  systems. 

A/R  5-  7:  T  he  United  States  will  urge  each 
nation  to  build  on  the  common  Y2K  experience 
and  appoint  a  centralized  point- of- contact  who 
can  act  as  a  liaison  between  domestic  and  global 
cybersecurity  efforts.  Establishing  points  of 
contact  can  greatly  enhance  the  international 
coordination  and  resolution  of  cyberspace 
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security  issues.  W  e  will  also  encourage  each 
nation  to  develop  its  own  watch-and-warning 
network  capable  of  informing  government 
agencies,  the  public,  and  other  countries  about 
impending  attacks  or  viruses. 

A/R  5-8:  To  facilitate  real-time  sharing  of  the 
threat  information  as  it  comes  to  light;  the 
U  nited  States  will  foster  the  establishment  of  an 
international  network  capable  of  receiving, 
assessing,  and  disseminating  this  information 
globally.  Such  a  network  can  build  on  the 
capabilities  of  nongovernmental  institutions 
such  as  the  Forum  of  I  ncident  Response  and 
Security  Teams. 

A/R  5-9:  The  United  States  will  encourage 
regional  organizations,  such  as  the  A  PEC, 


E  U,  and  OAS,  to  each  form  or  designate  a 
committee  responsible  for  cybersecurity.  Such 
committees  would  also  benefit  from  estab¬ 
lishing  parallel  working  groups  with 
representatives  from  the  private  sector.  T  he 
U  nited  States  will  also  encourage  regional 
organizations— such  as  the  A  PE  C,  EU,  and 
OAS— to  establish  a  joint  committee  on  cyber¬ 
security  with  representatives  from  government 
and  the  private  sector. 

A/R  5- 10: The  United  States  will  encourage 
other  nations  to  accede  to  the  Council  of 
E  urope  Convention  on  Cybercrime  or  to  ensure 
that  their  laws  and  procedures  are  at  least  as 
comprehensive. 
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